A “federal civilian executive branch organisation” (FCEB) was breached by Iranian hackers in February, according to an alert issued by America’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The agency has not been named the agency in question, but FCEBs listed on the CISA website include all major US government departments.
Iranians hack Federal Agency with Log4shell
The unnamed Iranian state-backed hacking gang exploited Log4shell for initial access into the organisation’s unpatched VMware Horizon server. Once in, they installed cryptomining software and harvested for credentials.
Both the FBI and CISA are warning organisations “to assume compromise and initiate threat-hunting activities,” by patching affected VMware systems or applying workarounds immediately. The FBI is encouraging any affected organisations to “assume lateral movement by threat actors”, in their networks, and to audit privileged accounts.
CISA uncovered the intrusion during a retrospective analysis carried out in April. “By exploiting Log4shell, the actors gained access to a VMWare account with administrator and system level access,” reads the advisory.
Iran’s cyberattack on US and its allies continues
Iranian-state-backed hackers regularly attack public sector organisations and elements of critical national infrastructure of the US and its allies using popular vulnerabilities like Log4shell. In September, the FBI and CISA released a warning in conjunction with the NSA, the Treasury, the US Cyber Command (USCC) and the UK’s National Cyber Security Centre (NCSC) warning the public about the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).
The IRCG is a government agency tasked with “defending the Iranian Regime from perceived internal and external threats,” notes the advisory. The IRGC is a well-documented user of the VMware Log4shell vulnerability, and has been known to exploit several high-profile flaws in Microsoft’s Exchange Server which have been unearthed this year.
Iran has been upping the ante this year regarding cyberattacks, warns the 2022 Microsoft Cyber Defense report, with the US and Israel in its crosshairs. “By 2022, Iranian cyberattacks escalated in target selection and form of attacks,” the report says, adding: “Microsoft assesses an Iran-affiliated actor was most likely responsible for a sophisticated cyberattack that set off emergency rocket sirens in Israel in June probably by using software that adjusts audio over IP networks.”
This threat is unlikely to abate. In fact, it will probably become more pronounced, continues the report. “Iranian actors are likely to remain a threat to US and Israeli transportation and energy companies in the coming year.”