Headline
Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network
By Waqas The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB). This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network
In December last year, it was reported that Iranian and Chinese hackers were exploiting the Log4Shell vulnerability in the wild. Now, according to the US CISA (Cyber security infrastructure and security Agency), an advanced persistent threat (APT) group sponsored by the Iranian government compromised the network of a U.S. federal agency.
The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB).
Cyberattack Details
CISA revealed that the hackers used the Log4Shell vulnerability, tracked as CVE-2021-44228, in the unpatched VMware Horizon server to compromise the network and gain control of the organization’s domain controller (DC). Once they successfully invaded the system, the hackers deployed XMRig crypto mining software to steal credentials and mine for crypto.
For your information, Log4Shell is a zero-day vulnerability in a Java logging framework called Log4j that causes arbitrary code execution and impacts VMware Horizon and an extensive array of products.
CISA’s Analysis
As per CISA, their researchers conducted a routine investigation in April 2022 and identified suspicious APT activities on the FCEB network using the EINSTEIN intrusion detection system used by the agency.
They discovered bi-directional traffic passing through the network and an already found malicious I.P. address linked with Log4Shell vulnerability exploitation in VMware Horizon servers.
CISA further noted that an HTTPS activity was launched from I.P. address 51.89.18164 to VMware’s server. Further probe revealed that the I.P. address was associated with Lightweight Directory Access Protocol (LDAP) server operated by attackers to deploy Log4Shell.
Who are the Attackers?
In a joint advisory from CISA, the Department of Homeland Security, and the FBI, it was revealed that the attack was launched in February 2022. The attackers moved laterally to DC, stole credentials, and implanted Ngrok reverse proxies on multiple hosts to retain persistence. U.S. security officials responded in June to clean the network.
Reportedly, the hackers were identified as Nemesis Kitten, and they launched the attack with backing from the Iranian government. Nemesis Kitten is an extension of the Phosphorus Iranian malware group, and they regularly utilize well-known, highly exploitable vulnerabilities to facilitate ransomware attacks against organizations.
CISA warned that organizations still using the unpatched server versions should be concerned as they would eventually be compromised.
- Dirty Pipe Linux Vulnerability Overwrites Data
- Watch Out: Microsoft Office 0-Day Vulnerability Follina
- OpenSSL Released Patch for High-Severity Vulnerability
- Flaw in GPS Tracker Lets Hackers Remotely Control Vehicles
- Critical Amazon Ring Flaw Could Expose Camera Recordings
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Related news
In today's rapidly evolving cyber threat landscape, organizations face increasingly sophisticated attacks targeting their applications. Understanding these threats and the technologies designed to combat them is crucial. This article delves into the mechanics of a common application attack, using the infamous Log4Shell vulnerability as an example, and demonstrates how Application Detection and
An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.
The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.
The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. "The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the
Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.
Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "given enough eyeballs, all bugs are shallow." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for
MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This Metasploit module will start an LDAP server that the target will need to connect to.
Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.
What are container image vulnerabilities?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses. The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.