Hackers with connections to the Iranian government broke into a U.S. government agency’s network in early 2022, utilizing a well-known flaw in an open-source software library to install cryptocurrency mining software and compromise credentials, federal cybersecurity officials said Wednesday.
By exploiting the Log4Shell vulnerability, the Iranian-backed hackers broke into an an unpatched VMware Horizon server in February and then used that access to move laterally within the network of an unidentified federal agency, according to Wednesday’s joint advisory from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation.
On Thursday, The Washington Post reported that the affected agency was U.S. Merit Systems Protection Board.
When the Log4Shell vulnerability was discovered late last year, security researchers warned that it would likely be exploited for years to come. The vulnerability affects the open-source software Log4j, which is a nearly ubiquitous tool that software developers have built into a huge range of software.
Wednesday’s advisory, coming nearly a year after Log4Shell’s discovery, illustrates just how difficult it is to address software vulnerabilities in these widely deployed software packages.
“Log4shell is endemic and it’s going to be around forever,” Dan Lorenc, the CEO and co-founder of Chainguard, a supply chain cybersecurity company, said in an email Wednesday. “It will remain in every attacker’s toolbox and continue to be used to gain access or for lateral movement for the foreseeable future.”
Following the disclosure of the flaw in Log4j, CISA ordered agencies under its jurisdiction to carry out an emergency patching operation, and state-backed hackers immediately began scanning for vulnerable systems to target. Officials warned then that the sprint to fix vulnerable systems would likely not catch all cases of vulnerable software being used, and Wednesday’s advisory is evidence of the gaps that remain in patching Log4j.
Organizations still running vulnerable versions of Log4j should assume they’ve been breached, CISA and the FBI said in the Wednesday advisory.
Iranian hacking groups have relied on unpatched versions of log4j to gain access to a wide variety of sensitive U.S. systems. In February, Iranian hackers gained access to a U.S. aerospace company and the computer systems of a municipal government by using the vulnerability, according to a September advisory from U.S. and allied cybersecurity agencies. That advisory attributed the activity to groups with ties to Iran’s Islamic Revolutionary Guard Corps.
Wednesday’s advisory did not name the group within Iran believed to be responsible for the breach, blaming “Iranian government-sponsored APT actors,” using the acronym for advanced persistent threats, which typically refers to state-sponsored or highly resourced activity. According to the advisory, the attackers relied on common software to exploit the Log4Shell vulnerability and carry out the operation, including XMRig, for cryptocurrency mining, PsExec, Mimikatz and Ngrok.
At times, hackers working on behalf of the Iranian government have been accused of more traditional cybercrime activities, such as ransomware attacks, in operations that have “blurred the lines between e-crime and espionage,” a researcher told CyberScoop in September. Wednesday’s advisory may describe another such operation in which hacking groups — perhaps working at arm’s length from the government — mingle espionage and cybercrime.
Updated Nov. 17, 2022: This story was updated after publication to add new information about the U.S. federal agency reportedly breached by Iranian-linked hackers.