>
An unnamed Iranian state-sponsored hacking group managed to compromise the endpoints of a US Federal Civilian Executive Branch (FCEB) organization and used its access to deploy a cryptocurrency miner.
The Cybersecurity and Infrastructure Agency (CISA) published (opens in new tab) the findings earlier this week. According to the report, CISA was called in in mid-June to investigate suspicions of Advanced Persistent Threat (APT) activity.
After a month-long investigation that ended in July 2022, the agency concluded that an Iranian state-sponsored threat actor managed to compromise an unpatched VMware Horizon server by exploiting the infamous log4j vulnerability, Log4Shell.
Patch VMware systems
The group used the access to install XMRig, a well-known cryptocurrency miner that uses the computing power of the device to generate Monero, a cryptocurrency that puts privacy first and is nearly impossible to track and trace.
The actors also moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on different hosts to maintain persistence on the network.
Following the release of these findings, CISA along with the FBI has urged all organizations with similar VMware systems to immediately apply available patches or load known workarounds.
All organizations with affected VMware systems were told to “compromise” and initiate threat hunting activities.
“If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and monitor privileged accounts” , reads the announcement. .
“All organizations, regardless of evidence of compromise identified, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activities.”
First discovered late last year, Log4Shell was described by CISA Director Jen Easterly as “one of the most serious, if not the most serious” vulnerabilities she has ever seen.