Another Log4Shell warning after Iranian attack on US government

The compromise of an unnamed US government organisation by an Iranian advanced persistent threat (APT) actor that exploited the Adobe Log4j Log4Shell vulnerability on a VMware Horizon server has led to renewed calls for organisations to remain vigilant against the still highly dangerous threat, and prompted a renewed flurry of patching and remediation among the many organisations that remain exposed.

In a cyber security advisory (CSA) notice published on 16 November, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI revealed that an unspecified organisation in the Federal Civilian Executive Branch (FCEB) had been compromised by a Tehran-backed actor, which got into its systems via a VMware Horizon server that was not patched against Log4Shell.

The incident was discovered during the summer of 2022, although it began in February, when CISA established that the APT accessed its victim’s network and installed the XMRig cryptominer before moving laterally to the domain controller (DC), from where it compromised credentials and then implanted the Ngrok reverse proxies on a number of hosts to maintain persistence.

“CISA and FBI encourage all organisations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat-hunting activities,” CISA said in the advisory.

“If suspected initial access or compromise is detected based on IOCs [indicators of compromise] or TTPs [tactics, techniques and procedures] described in this CSA, CISA and FBI encourage organisations to assume lateral movement by threat actors, investigate connected systems – including the DC – and audit privileged accounts.

“All organisations, regardless of identified evidence of compromise, should apply the recommendations in the mitigations section of this CSA to protect against similar malicious cyber activity.”

If they have not already done so, organisations should immediately update their affected VMware Horizon servers and unified access gateway (UAG) systems to the latest version; minimise their internet-facing attack surface; exercise, test and validate security programmes against the behaviours mapped to the MITRE ATT&CK for Enterprise framework; and test existing controls against the described ATT&CK techniques.

Brian Fox, chief technology officer at software development security specialist Sonatype, said his organisation’s telemetry showed that somewhere between 38% and 40% of Log4j downloads were still vulnerable to Log4Shell – this number would clearly have been higher in February when the specific compromise occurred.

“It’s not surprising that we continue to see APT groups use it as a part of their toolkit. The advisory should serve as a warning to everyone in the industry, especially those in the federal space, to not lose sight of continuing to find straggling systems with potentially vulnerable versions,” said Fox.

“That’s why SBOMs [software bill of materials] and quality software composition analysis solutions are so important – developers and organisations need transparency into every element of their software supply chains for efficient fixes and to stay secure.”

This specific attack is likely the work of the group tracked as Cobalt Mirage by Secureworks – Phosphorus and Charming Kitten by others – which is known to favour Log4Shell and other high-profile vulnerabilities, ProxyShell being a noted favourite.

The Secureworks Counter Threat Unit said it had identified two distinct clusters of Cobalt Mirage attacks, one deploying the BitLocker and DiskCryptor ransomware opportunistically, and the other focusing on targeted intrusions for intelligence-gathering purposes.

It has demonstrated a preference for attacking Israeli organisations, but is not averse to hitting victims in Asia-Pacific, Europe and North America.

Operational security failures by the gang during a different incident revealed that Cobalt Mirage is linked to a private contractor aligned with or even controlled by the Intelligence Organisation of Iran’s Revolutionary Guard Corp (IRGC-IO).

“The pattern of private Iranian companies acting as fronts or providing support for Iranian intelligence operations is well established,” the Secureworks team wrote.

“The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative. While part of Cobalt Mirage’s activity appears espionage-focused, a significant portion is focused on opportunistic revenue generation through its ransomware activities.

“While these companies may work with the IRGC-IO, the ransomware attacks could be another source of revenue that they can pursue without fear of prosecution by Iranian law enforcement.”