U.S Cyber security infrastructure and security Agency uncovered a potential cyber attack on the U.S Federal network where attackers compromised the organization’s DC and possibly deployed crypto Miner, credential Harvester.
Iranian APT hackers launched an attack on Federal Civilian Executive Branch (FCEB) organization by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server.
CVE-2021-44228 (log4Shell) was a zero-day vulnerability in Log4j, a popular Java logging framework involving arbitrary code execution, and affects a wide range of products, including the VMware Horizon.
CISA believes that the attack was initiated by Iran government-backed hackers who install XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
On April 2022, CISA conduct a routine investigation and suspected malicious APT activities on the FCEB network with the help of EINSTEIN—an FCEB-wide intrusion detection system (IDS).
APT Activities Investigation
During the investigation, researchers found bi-directional traffic between the network and a known malicious IP address associated with the exploitation of the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers.
As a result, there was an HTTPS activity initiated from IP address 51.89.181[.]64 to the organization’s VMware server, further in-depth analysis reveals that the IP associated with Lightweight Directory Access Protocol (LDAP) server that was operated by threat actors to deploying Log4Shell.
“Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.” said in the CISA report.
Researchers also found an LDAP callback to the IP 51.89.181[.]64 on port 443, upon successful exploitation of the Log4Shell vulnerability, threat actors compromised the Domain Controller.
Technical Analysis
Iranian APT threat actors initially found an unpatched VMware Horizon server that was deployed by the organization, and established a connection from malicious IP address 182.54.217[.]2 lasting 17.6 seconds.
In order to evade the Windows defender detection, attackers added the exclusion tool to WD using the following PowerShell commands:
powershell try{Add-MpPreference -ExclusionPath ‘C:\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”
Adding the exclusion tool, attackers escape from the virus scan and download the further tools to the c:\drive.
Later a C2 server communication will be established and exploit payload then downloaded mdeploy.text from 182.54.217[.]2/mdepoy.txt to C:\users\public\mde.ps1.
Soon after it downloads the file.zip from 182.54.217[.]2, mde.ps1 will be wiped out from the disk to reduce the risk of being caught by the AV engine.
When the researchers dug deep into the file, file.zip carried a crypto-mining software and also downloaded around 30 megabytes of files from transfer[.]sh server that contains the following tools.
- PsExec – a Microsoft signed tool for system administrators.
- Mimikatz – a credential theft tool.
- Ngrok – a reverse proxy tool
The Mimikatz tool was used against the VDI-KMS to harvest credentials and created a rogue domain administrator account through which attackers leverage the RDP and gain control over several hosts within the network.
Later they manually disabled the Windows defender with the help of GUI and eventually implanted Ngrok executables and configuration files.
“The threat actors were able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine during a routine reboot.”
Soon after the attackers established a deep foothold on the network, attackers executed the PowerShell command on the active directory to gain access to all the machines associated with the domain, and this operation was successfully performed at a lateral moment after they gained the Domain Controller access.
Finally, threat actors have changed the local administrator password as a backup if the rogue domain admin access is detected and terminated.
Mitigation:
CISA & FBI advised all organizations to immediately apply available patches and follow the mitigations:
- Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
- Keep all software up to date
- Minimize the internet-facing attack surface
- Use best practices for identity and access management (IAM)
- Audit domain controllers to log
- Create a deny list of known compromised credentials
- Secure credentials by restricting where accounts and credentials can be used.
Source:Cyber Security News