Iranian advanced persistent threat group Cobalt Mirage, also known as UNC2448 or Nemesis Kitten, has exploited the Log4j vulnerability to compromise numerous U.S. local government networks with the Drokbk malware since February, according to The Record, a news site by cybersecurity firm Recorded Future.
Cobalt Mirage is believed by Secureworks researchers to be behind a separate attack reported by the Cybersecurity and Infrastructure Security Agency that involved the compromise of a federal agency's server through Log4j vulnerability exploitation.
Drokbk malware, which was found to be deployed following network infiltration, was also revealed to leverage GitHub for securing its command-and-control infrastructure.
"The February intrusion that Secureworks incident responders investigated began with a compromise of a VMware Horizon server using two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046). Forensic artifacts indicated Drokbk.exe was extracted from a compressed archive (Drokbk.zip) hosted on the legitimate transfer . sh online service. The threat actors extracted the file to C:UsersDomainAdminDesktop and then executed it," said Secureworks.
Malware, Threat Management, Supply chain, Cloud Security
Iranian APT targets US local governments with Drokbk malware
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds