Security Digest - Iranian Threat Actors - Log4Shell on the Feds

Profile photo for Tim Chambers

Tim Chambers

Not Yet Rated
0:00
Documentaries
7
0

Description

This is a cybersecurity digest, reporting on a cyber attack on a US federal agency in late 2022.

Vocal Characteristics

Language

English

Voice Age

Young Adult (18-35)

Accents

British (General) British (Received Pronunciation - RP, BBC)

Transcript

Note: Transcripts are generated using speech recognition software and may contain errors.
Iranian state sponsored actors have been accused of compromising a United States federal agency by utilising the log for shell vulnerability in an unpatched VM Ware Horizon server. Cyber threat Actors exploited the log for shell vulnerability in an unpatched VM Ware server, installed X M Rick Crypto mining software, moved laterally to the domain controller, compromised credentials and then implemented in rock reverse proxies on several hosts. To maintain persistence, Caesar have noted log for shell or C VE. 2021 44228 is a critical remote code execution floor in the widely used Apache log four J Java based logging library. It was addressed by the Open Source Project maintainers in December 2021. However, since so many of these third party technologies used this in organisations, efforts to patch and remediate this floor have not been as swift as many would have hoped. According to see Sir, the organisation is thought to have been breached around February 2022 by Weaponising the vulnerability to add an exclusion rule to Windows Defender that allow listed the entire C drive. Doing so made it possible for the adversary to download and execute a power shell script without triggering any of the Windows Defender protocols. Subsequently, this retrieved the ex Embry Cryptocurrency Mining Software, which was hosted on a remote server. This initial access further allowed the actors to retrieve more payloads, such as many cats are popular credential stealer and end rock, which allows a server to be exposed for the external Internet for persistence. These were used in addition to utilising the remote desktop protocol for pivoting and lateral movement, allowing the adversary to disable Windows Server on multiple devices. Microsoft have reported attempts to enumerate the Elsa's process, being quoted as saying. Dumping Elsa's credentials is important for Attackers because if they successfully dumped domain passwords, they can, for example, then use legitimate schools such as PS execs and Windows management instrumentation to move laterally across the network. This is indicative of a new dawn of espionage and disruption that has bled over from large corporations, often with financial gains being the motive to governments. Realising this can be an effective arm of their military prowess. The use of legitimate tooling along with off the shelf exploits shows how the waters can be muddied for defenders who must adopt a zero trust approach and scrutinise every action taken on their network. What we can learn from this is that threat. Actors can stay an assistant for months before unleashing any attack. So it is vitally important we use tools such as deception, threat, intelligence and implement logging and monitoring to make sure we have not already been compromised and simply do not know it.