Cybercriminals Targeting Federal Government Agencies Through Log4j Vulnerability

Web Servers Systems Networks
Advisory ID:
November 28, 2022


Following the publication of the advisory with ID - NGCERT-2021-0062 on the Apache Log4j Remote Code Execution Vulnerability on the 20th of December 2021, a U.S. Federal Government entity's network was compromised by a suspected Iranian threat actor, according to Cybersecurity and Infrastructure Security Agency (CISA). This threat actor took advantage of an unpatched VMware Horizon server to insert malware.

Description & Consequence

Apache Log4j is a popular open-source logging library that is found in almost every environment where a Java application is used. Enterprise applications, cloud services, web applications, email services, and open-source software are all examples of this. This library is used to record information about security and performance. Recently, CISA discovered traffic between the network of an unnamed US government organization and a hostile IP address known for exploiting the Log4j vulnerability. Furthermore, they discovered that the actor had exploited the vulnerability months before its discovery and had gained network persistence. In addition, the actor had installed XMRig crypto mining software and compromised the domain controller, gaining access to user credentials and inserting Ngrok proxies. However, the threat actors' attempt to disable the Local Security Authority Subsystem Service (LSASS) process was foiled by the organization's anti-malware solution.

For more details on the Log4j remote code execution vulnerability, check the link on the ngCERT advisory below.

An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request then allows the adversary to take full control over the system. The adversary can then steal information, install crypto-mining software, launch ransomware attack, or conduct other malicious activity.


Some countermeasures that can be taken to forestall such an attack include:

  1. Always ensuring that all system patches and security updates are installed.
  2. Conducting periodic vulnerability assessment exercises to ascertain security risks to a network.
  3. Installing and keeping up-to-date an anti-malware solution.
  4. Employ a layered defense strategy so that when one barrier is broken through, another may hinder the attack.



Related Articles