Skip to content

Iranian compromise of federal network demonstrates enduring nature of Log4j

November 17, 2022 – Published on SC Magazine

Iranian government-sponsored hackers infiltrated an unnamed US government agency’s network earlier this year, taking advantage of the Log4Shell vulnerability to deploy crypto miners and compromise credentials, US cybersecurity officials said Wednesday.

The details, which were shared in Wednesday’s joint advisory by the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), and the FBI, reveal that the hackers broke into an unpatched VMware Horizon server in February, with US security officials responding to the attack in June to clean up the network.

The advisory also warned that organizations without patching vulnerable versions of Log4j should assume they have been compromised. The attack underscores the enduring presence of the Log4j vulnerability, which made global headlines a year ago and remains an active threat for many organizations, with CISA warning late last year that the flaw could still affect hundreds of millions of devices.

But federal agencies were supposed to enumerate all of their software assets against a CISA-managed GitHub repository of software known to be affected by the bug and prioritize patching last year as part of an emergency Binding Operational Directive issued by CISA to civilian federal agencies last year. It was later incorporated into the agency’s Known Exploited Vulnerabilities database, a rolling list of vulnerabilities that civilian federal agencies must identify and patch within two weeks.

The hack revealed Wednesday shows that organizations, including federal agencies, fail to maintain robust vulnerability management processes, said Nic Finn, threat intelligence consultant at GuidePoint Security.

“There are over 13,000 US-based servers hosting VMWare Horizon, according to Shodan data. It is a trivial process for an actor with Nemesis Kitten’s resources to attempt to exploit this vulnerability against those servers. Even a 1% vulnerability rate still indicates 130 vulnerable servers,” Finn told SC media.  

Read More HERE.