Iran-Attributed Exploitation of Log4Shell Vulnerability

Executive Summary

• CISA and the FBI issued a joint advisory warning of ongoing exploitation of the Log4Shell vulnerability (CVE-2021-44228) on November 16.
• The advisory noted that an unspecified Iran-linked threat actor group had exploited the vulnerability during an intrusion into a Federal Civilian Executive Branch (FCEB) organization’s network earlier this year.
• SecurityScorecard STRIKE team investigated the IoCs provided in the advisory and identified overlaps between them and previous Iran-attributed activity.
• Based on these overlaps, SecurityScorecard STRIKE assesses with moderate confidence that the Iran-linked threat actor group tracked as TunnelVision is responsible for the intrusion. By extension, this suggests the involvement of the more established Iranian APT group Phosphorus.

Background

On November 16, CISA and the FBI published an advisory warning that an APT group believed to operate on behalf of the Iranian government was exploiting CVE-2021-44228, a VMware Horizon vulnerability also known as Log4Shell. The agencies based the advisory on the results of CISA’s June-July 2022 response to an incident affecting an unspecified FCEB organization, which a federal intrusion detection system first detected in April of that year.

Throughout that engagement, CISA found that threat actors had first accessed and exploited a server running a vulnerable version of VMware Horizon from 51.89.181[.]64, and that the affected victim server subsequently made a DNS query to us‐nation‐ny[.]cf, a domain that resolves to the same IP address.

During the initial compromise of the victim system, the target server also connected to 182.54.217[.]2, which CISA terms a “known malicious IP address.” and then subsequently executed PowerShell commands enabling the threat actors to download and execute additional malicious files, including the XMRig crypto mining software. The attackers subsequently moved laterally and downloaded additional tools, including (reverse proxy tool) Ngrok, which would play a prominent role in the attack’s later stages, using remote desktop protocol (RDP), eventually harvesting credentials and creating a new domain administrator account to access additional hosts within the organization’s network.

Findings

SecurityScorecard researchers consulted internal and external datasets to enrich the information contained in the above-discussed advisory, observing connections between the IP addresses and domain it contains and previous activity attributed to the Iran-linked TunnelVision threat actor group. Researchers additionally observed less direct links to other threat actors.

Researchers first investigated the two IP addresses mentioned above, 51.89.181[.]64 and 182.54.217[.]2. They found that the latter already appears in SecurityScorecard’s internal threat intelligence platform, having appeared in earlier SecurityScorecard malware analysis and that other vendors have linked both to malicious activity. Perhaps most tellingly, though, analysts previously linked 182.54.217[.]2 to Iran-attributed exploitation of the Log4Shell vulnerability.

A February 2022 report lists 182.54.217[.]2 as the IP address of a payload server used in a series of attacks that exploited the same VMware Horizon vulnerabilities targeted in the more recent federal incident and, as in that more recent incident, also made heavy use of PowerShell and Ngrok. Other IoCs in the February report reflect additional commonalities between TunnelVision and the more recent activity.

Us‐nation‐ny[.]cf, the domain contacted during the FCEP organization intrusion, resolves to 51.89.181[.]64, an IP address belonging to OVH SAS, a French cloud service provider. It and the domain of a command-and-control server identified in February, microsoft-updateserver[.]cf, share a country code top-level domain (ccTLD), .cf (the ccTLD for the Central African Republic).

Moreover, aside from the shared payload server IP address, all of the other IP addresses contained in the February report (51.89.169[.]198, 142.44.251[.]77, 51.89.135[.]142, 51.89.190[.]128, 51.89.178[.]210, and 142.44.135[.]86), like 51.89.181[.]64, belong to OVH SAS. These overlaps in infrastructure and TTPs suggest that the TunnelVision group is responsible for the activity discussed in the November report in addition to the activity attributed to it in February.

Additional findings derived from these IoCs could help organizations defend against TunnelVision’s activity and similar incidents.

182.54.217[.]2 has served downloads of five files; those identified by the following SHA-256 hashes may be relevant to this activity:

• 858c3d04334298398c0792520b0b752c0ecbb4e991fe1f48003d89272daace8d
  • Forty-six vendors detect 858c3d04334298398c0792520b0b752c0ecbb4e991fe1f48003d89272daace8d as malicious, with many identifying it using the term “miner,” which may suggest that it was involved in the crypto mining observed in the November advisory.
• 5e698bf936a2590b37e3eb36892ad5769712a11644f5f50cbb3531ff4b4384e8
  • The file identified by the above SHA-256 hash has the name mdeploy.txt, a malicious file that, as the CISA-FBI joint advisory notes, downloads additional files when executed.
  • It contains the following domains. Traffic to them may indicate that this file is in use and could therefore merit attention from personnel monitoring traffic.
    • ifconfig[.]me
    • webhook[.]site

An additional file identified by the SHA-256 hash a06e34c4d316b98831625592678ebfe4b3dd1314676ca89e325f56d20b1acf6d, which communicates with 182.54.217[.]2, may reflect the activity discussed in the joint advisory. Vendors have linked the former to the WannaCry ransomware strain, which came to prominence in 2017.

The latter is a PowerShell file first submitted to VirusTotal on July 25. Although vendors have not deemed its behavior to be malicious, given the centrality of PowerShell to the activity described above, this file may indicate malicious activity even if its specific behavior is not malicious. In addition to 182.54.217[.]2, it contacts two other IP addresses:

• 23.202.229[.]49
• 23.202.229[.]50

Communication with these IP addresses may indicate that this file is in use and could therefore merit attention from personnel monitoring traffic, should they appear in an organization’s logs.

Conclusion

Based on the above-discussed similarities, SecurityScorecard STRIKE assesses with moderate confidence that the Iran-linked threat actor group tracked as TunnelVision, and by extension, the more established Iranian APT group tracked by Microsoft as Phosphorus is responsible for the intrusion detailed in the November 16 advisory. This could additionally link TunnelVision to the activity tracked as Charming Kitten; the IP addresses and domain contained in the CISA-FBI joint advisory also appear in a collection of Charming Kitten-attributed IoCs, for example. However, other organizations attribute some of the activity Microsoft attributes to Phosphorus to Nemesis Kitten rather than Charming Kitten, so despite the similarities between TunnelVision and other Iran-attributed APT activity, analysts have thus far hesitated to identify it with a particular APT group or subgroup due to these differences in tracking and attribution.

Return to Resources