Iran-backed hacker group hacks US government agencies and deploys cryptocurrency mining malware using Log4Shell

Since the vulnerability 'Log4Shell (CVE-2021-44228)' was discovered in the Java log output library used in various programs, virtual currency mining and data theft occurred frequently , and government- related Microsoft has warned that hacking groups are using Log4Shell, causing a lot of confusion. According to a recommendation jointly announced by the US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) on November 16, 2022, a hacker group supported by the Iranian government has attempted to It was revealed that the organization of the institution (FCEB) was hacked and the decryption malware 'XMRig' was introduced.

CISA and FBI Release Advisory on Iranian Government-Sponsored APT Actors Compromising Federal Network | CISA
https://www.cisa.gov/uscert/ncas/current-activity/2022/11/16/cisa-and-fbi-release-advisory-iranian-government-sponsored-apt

US govt: Iranian hackers breached federal agency using Log4Shell exploit
https://www.bleepingcomputer.com/news/security/us-govt-iranian-hackers-breached-federal-agency-using-log4shell-exploit/

Log4Shell is a vulnerability discovered in the Java log output library 'Apache Log4j'. Due to the widespread use of Apache Log4j, the scope of the impact is large, and security-related organizations and media outlets have issued warnings to apply patches, but damage such as the spread of malware and data theft has occurred frequently.

Why does the vulnerability ``Log4Shell (CVE-2021-44228)'' discovered in Java's Log4j library have a major impact on the world? -GIGAZINE

In response to the Log4Shell epidemic, CISA has issued a notification to each administrative department to apply a patch. However, even after that, threats related to Log4Shell did not stop, and in March 2022, it was reported that there was evidence that a hacker group allegedly receiving national support from the Chinese government had infiltrated government networks in six states in the United States. it was done.

A report that the Chinese government hacker group ``APT41'' was attacking government networks in at least six states in the United States, piercing vulnerabilities such as Log4Shell - GIGAZINE

And on November 16, 2022, an unnamed threat group backed by the Iranian government used an exploit with the Log4Shell vulnerability to compromise an unpatched server, after which the federal government CISA announced that it had compromised its network. According to a joint recommendation by the FBI and CISA, Iranian hackers deployed malware to mine cryptocurrencies, then compromised credentials, and even set up a reverse proxy on the compromised servers, allowing the FCEB agency to It is said that the persistence was maintained within the network.

After the Log4Shell patch was released in December 2021, it is believed that hackers immediately began scanning and attacking systems that were left unpatched. “Any organization that has not yet applied a patch against Log4Shell should assume that it has already been attacked by hackers, and agencies should begin looking for malicious activity within their networks,” the FBI and CISA advise. .

In their advisory text, CISA and the FBI urge organizations to apply the following mitigations and defensive measures:

・Update your VMware Horizon and Unified Access Gateway (UAG) systems to the latest versions.
• Minimize the attack surface of Internet-connected organizations.
• Exercise, test, and validate the organization's security program against threat behaviors mapped to the Cyber Security Advisory (CSA) framework.
• Test the organization's existing security controls against the ATT&CK techniques described in the CSA.