Iranian government-sponsored advanced persistent threat (APT) actors breached the Federal Civilian Executive Branch (FCEB) and its network, according to a cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
In the course of incident response activities, CISA determined that the APT actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
Yaron Kassner, CTO and Co-Founder of Silverfort, says, “The alert from CISA is evidence of the unfortunate legacy we were warned to expect from Log4Shell at the time of its discovery. It is a gift to state actors and access brokers, and this attack is proof of the impact critical vulnerabilities such as this can have when left unpatched. As we see here, once a toehold is gained — attackers are then able to simply pick up administrator credentials and use them to move laterally before eventually compromising the entire domain. This emphasizes the need for MFA inside the network, which was clearly missing here. Hopefully, crypto-mining was the sole outcome of this attack and not more than that.”