The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says Iranian state-sponsored actors compromised a federal network. The attackers exploited the Log4Shell vulnerability in an unpatched VMWare Horizon server to install crypto mining software in a Federal Civilian Executive Branch (FCEB) agency. The threat actors also moved laterally to the domain controller, where they compromised credentials and implanted Ngrok reverse proxies. The threat actors changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated. Here’s how:
- The TAs used an exploit payload that relied on a PowerShell command: powershell try{Add-MpPreference -ExclusionPath 'C:\'; Write-Host 'added-exclusion'} catch {Write-Host 'adding-exclusion-failed' }; powershell -enc "$BASE64 encoded payload to download next stage and execute it"
- Then they used Mimikatz on VDI-KMS to harvest credentials and create a rogue domain administrator account that allowed them to move laterally within the network.
- Upon logging into each host, the actors manually disabled Windows Defender via the Graphical User Interface (GUI) and implanted Ngrok executables and configuration files on multiple hosts.
Impact
The FCEB includes a long list of non-defense executive branch agencies, including the Department of Homeland Security and the Department of Justice, so a compromise is potentially significant. The attack also indicates the scope of possible risk from Log4Shell for private organizations.
The CISA observed the actors downloading around 30 megabytes of files, including the tools they used in the attack. The hacker was also observed attempting to dump the Local Security Authority Subsystem Service (LSASS) process with task manager but this was stopped by antivirus software.
DXC perspective
CISA recommends that organizations with VMware Horizon instances not patched for Log4Shell treat those systems as compromised and follow incident response procedures. A full list of TTPs is available in the advisory. We recommend that all organizations update VMware Horizon systems and make sure they have implemented robust antivirus and other endpoint protection tools.