Log4j vulnerability used by Iranian hackers to penetrate critical government networks

An unpatched Log4j vulnerability has been used by Iranian state hackers to gain access to a US government network. Here they looted passwords, changed passwords and used the network to mine cryptocurrency. The attackers went undetected for months.

The US CISA reports having detected advanced persistent threat (APT) activity on the network of an unidentified US government agency. The activity was detected in april, but only now brought out. Based on an analysis, CISA and the FBI attribute the attack to Iranian state hackers.

The attackers managed to gain access to the government network in February using Log4Shell. This is a vulnerability in Apache Log4j discovered in November 2021. The vulnerability was addressed through an update, but a VMware Horizon server from the government department was found not to be up to date. This is despite the fact that CISA ordered all federal government departments in the US to patch the vulnerability at the end of December.

Once penetrated on the network, the attackers installed XMRig, with which they mined cryptocurrency. Later, they gained access to a VMware VDI-KMS host, where they downloaded a Microsoft-signed tool for system administrators called PsExec. In combination with Mimikatz, the attackers use this tool for stealing for credentials. Through the spare proxy tool Ngrok they managed to bypass firewalls and maintain access to the network. Also, the password of the local administrator account was changed by the attackers on several hosts.