The US, UK, Australia, and Canada’s cybersecurity agencies have issued warnings that Iranian state-sponsored hackers are using Log4j vulnerabilities in their ransomware attacks.
In a warning released this week, cybersecurity agencies claimed that the Islamic Revolutionary Guard Corps (IRGC) of Tehran was responsible for many assaults that used vulnerabilities in VMware Horizon Log4j on unsecured networks to allow disc encryption and data extortion.
These include the assaults from February on a US local government and an aerospace firm that took advantage of the initial Log4Shell issue CVE-2021-44228 as well as related vulnerabilities CVE-2021-45046 and CVE-2021-45105.
According to the notice, this is consistent with other IRGC tactics that attacked Microsoft Exchange ProxyShell weaknesses and Fortinet FortiOS devices using zero-day vulnerabilities.
The IRGC-affiliated individuals probably choose a course of action after acquiring access to a network based on how valuable they believe the data to be. The perpetrators may exfiltrate data or encrypt data for ransom depending on the perceived worth, cybersecurity agencies said.
“The attackers may sell the data or utilize the exfiltrated material in double-extortion” ransom operations, in which a threat actor combines encryption and data theft to coerce targeted companies to pay ransom demands.
This would signal a new stage in Iranian threat activities if the state-backed actors intended to use these attempts to raise money for the Islamic Republic. Up until this point, Tehran has mostly concentrated on cyber-espionage for geopolitical ends and strikes meant to impair vital physical infrastructure, like the current campaign against Albania.
Indictments against three Iranian nationals were announced by the US this week as well. They are accused of being behind ransomware attacks that targeted hundreds of small businesses, government organizations, nonprofits, educational, and religious institutions throughout the US, UK, Israel, and even Iran.
The three men charged by the Department of Justice were among 10 people and two businesses tied to the IRGC that the US Treasury announced sanctions against at the same time (DoJ).