"Iranian Hackers Compromised a US Federal Agency's Network Using Log4Shell Exploit"

Iranian government-sponsored threat actors have been linked to the compromise of a US federal agency, which involved exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. The information was provided by the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) in response to incident response efforts conducted by the agency from mid-June to mid-July 2022. Log4Shell, also known as CVE-2021-44228, is a critical Remote Code Execution (RCE) flaw in Apache Log4j, a popular Java-based logging library. The open-source project maintainers addressed it in December 2021. However, since the beginning of the year, Iranian state-sponsored groups have been exploiting Log4j vulnerabilities in VMware Horizon servers. CISA did not attribute the incident to a specific hacking group, but a joint advisory issued in September 2022 by Australia, Canada, the UK, and the US suspecting Iran's Islamic Revolutionary Guard Corps (IRGC) of exploiting the gap. According to CISA, the affected organization was breached as early as February 2022 by weaponizing the vulnerability to add a new exclusion rule to Windows Defender that allowedlisted the entire C: drive. As a result, the adversary was able to download a PowerShell script without triggering any antivirus scans, which allowed the adversary to retrieve the XMRig cryptocurrency mining software hosted on a remote server in the form of a ZIP archive file. This article continues to discuss the exploitation of Log4Shell vulnerability by Iranian government-sponsored threat actors to compromise a US federal agency.

THN reports "Iranian Hackers Compromised a US Federal Agency's Network Using Log4Shell Exploit"