State-sponsored Iranian hackers exploited a widely known vulnerability to gain access to the US government’s federal computer system. Unauthorized access has been used to mine cryptocurrency.
CISA has disclosed that a Federal Civilian Executive Branch (FCEB) has been affected by the hacking.
Currently, the incident is being further investigated by network defenders to uncover the scope of the related compromised assets, hacking damage is being mitigated, and the security is being fixed and strengthened.
Any organizations that haven’t applied patches to fix the vulnerability that compromised the government agency are advised to fix this critical flaw that could compromise their systems.
Could this attack on the government agency have been avoided with programs such as Threat Exposure Management?
Let’s start from the beginning.
Start of the Attack
Although the US government stated that the attack occurred on Wednesday, the hacking activity can actually be traced back as far as February.
The Government noticed signs of the threat and started the mitigation and recovery process from mid-June to mid-July 2022.
Iranian hackers sponsored by the government managed to successfully deploy a crypto miner that allowed them to generate cryptocurrency and a password harvester that enabled them to obtain credentials.
In cybersecurity, this type of attack is cataloged as an advanced persistent threat (ATP) — the term that refers to sophisticated cyberattacks done by state-sponsored threat actors.
Additionally, ATP also refers to hacking activity that goes under the radar for extended periods — as in this case where the hackers were not discovered for over nine months.
Exploiting a Well-Known Flaw
The threat actors were able to get access to federal computers after uncovering an unpatched vulnerability known as Log4Shell.
In 2021, this zero-day weakness was marked as a high-risk issue and assigned a maximum score of 10 on vulnerability metrics. This component has compromised a lot of software and it has been announced that it might even allow hacking activity for years to come.
CISA alarmed organizations to fix this well-known issue in December 2021. After the bug has been publicly announced, multiple hacking groups started to scan the internet to discover any organization that hasn’t yet patched up this major weakness.
The patches for the exploit that would fix this bug had been released a year prior to the attack, but the agency failed to update its security, i.e. apply said patches.
Mining Crypto via the Federal Computer System
Once the cybercriminals gained access to the system, they used the government computer systems to mine cryptocurrency.
More precisely, the crypto mining malware dubbed XMRig has been used in the attack.
What’s more, they also compromised accounts to move deeper into the system and obtain sensitive data.
Ultimately, the real motif of the Iranian hackers and the full extent of the attack is not yet known.
The Necessity of Regular Security Management
This case reminds both government agencies and businesses that regular security management is just as important as having multiple layers of tools that cover all the assets and security analysts.
For example, Threat Exposure Management is a program designed to facilitate IT teams to find and fix weaknesses before cyber criminals do. It does so in five stages:
- Scoping — that includes mapping of the external attack surface (anything that can be exploited that is available via the internet, such as leaked passwords)
- Discovery — cataloging all the assets that could be compromised in a case of a breach
- Prioritization — identifying parts of the infrastructure that are likely to be the target of hacking, that are high risk
- Validation — simulating attacks that mimic hacking activity and uncover vulnerabilities that need fixing
- Mobilization — remediation and strengthening of security by fixing critical problems
One of the benefits of such a program is that it is run on artificial intelligence that allows it to continually test and report on the possible high-risk bugs, such as Log4Shell that, if unpatched, are likely to turn into incidents.
What’s more, the program also follows the rapidly shifting attack surfaces that are likely to be disrupted by new hacking techniques and flaws caused by the adoption of new technology such as cloud computing.
This is possible because the program is linked to the MITRE ATT&CK Framework — the resource that lists all the recent vulnerabilities and hacking methods as well as suggestions on how to mitigate and fix flaws.
MITRE is used by cyber experts worldwide and Log4Shell is one of the weaknesses cataloged in its extensive library.
Advanced Hacking Threats
Threat Exposure Management also aids IT teams to uncover the signs of more sophisticated hacking threats on time — before they compromise the system and user data.
Advanced hacking refers to cybercriminal activity that uses more complex techniques — which are more difficult to discover.
Behind such threats are usually threat actors that have been targeting their victims and looking for vulnerabilities for months at a time.
Even though the automated program might not be able to detect encrypted hacking activity or uncataloged (zero-day) threats, it can identify known vulnerabilities within the system such as Log4Shell.
Weaknesses could be people that lack cybersecurity training and are likely to fall for phishing schemes or unpatched critical flaws such as Log4Shell that could have been easily avoided with provided patches.
This particular case shows how long it can take for sophisticated hacking to be discovered in the system —- even for high-profile victims such as government agencies.
It’s also a reminder of the importance of both having a robust security system as well as regularly managing it and using the programs and protective software that can detect flaws on time.
The complete aftermath of this attack, the extent of the compromised data and systems, is yet to be known.
However, this incident is a wake-up call for organizations that might have critical flaws stemming from well-known and unpatched vulnerabilities.
You may be interested in: How to maximize Crypto Security