Allies Warn of Iranian Ransom Attacks Using Log4Shell

Written by

Cybersecurity agencies in the US, UK, Australia and Canada have warned that Iranian state-sponsored hackers are exploiting Log4j vulnerabilities in ransomware campaigns.

An alert published this week said Tehran’s Islamic Revolutionary Guard Corps (IRGC) was behind multiple attacks exploiting VMware Horizon Log4j bugs on unprotected networks to enable disk encryption and data extortion.

These include February attacks against a US municipal government and an aerospace company which leveraged the original Log4Shell bug CVE-2021-44228 as well as related vulnerabilities CVE-2021-45046 and CVE-2021-45105.

This is in keeping with previous IRGC campaigns that exploited ProxyShell vulnerabilities in Microsoft Exchange and zero-day flaws in Fortinet FortiOS products, the alert claimed.

“After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data,” it explained.

“The actors may sell the data or use the exfiltrated data in extortion operations or ‘double extortion’ ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.”

If the state-backed actors are seeking to generate funds for the Islamic Republic through these efforts, it would mark a new phase in Iranian threat activity. Tehran has largely focused up to now on cyber-espionage for geopolitical purposes and attacks designed to disrupt physical and critical infrastructure, as in the recent campaign against Albania.

“Based on the latest intelligence across the Five Eyes, this advisory again underscores that organizations of all sizes continue to be targeted by capable and increasingly sophisticated adversaries,” argued Australian Cyber Security Centre boss, Abigail Bradshaw.

“It’s absolutely critical that organizations strengthen their cyber-defenses by reviewing these protective measures and implementing them immediately. In particular, I urge organizations to patch their systems against a number of already known critical vulnerabilities.”

Also this week, the US indicted three Iranian nationals allegedly responsible for ransomware attacks against hundreds of small businesses, government agencies, non-profits and educational and religious institutions across the US, UK, Israel and even Iran.

At the same time, the US Treasury announced sanctions on 10 individuals and two entities linked to the IRGC, including the three men indicted by the Department of Justice (DoJ).

What’s hot on Infosecurity Magazine?