Unpatched server

CISA, FBI: Iran-Sponsored Actors Exploit Log4j Vulnerability in Federal Agency Network

A new joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency and the FBI revealed that hackers sponsored by the Iranian government exploited a Log4Shell vulnerability in an unpatched VMware Horizon server of an undisclosed federal civilian executive branch organization. The Log4Shell vulnerability is a software flaw of open-source logging library Log4j.

The infiltrators managed to access employee credentials and install XMRig cryptocurrency mining software in the agency’s system. The vulnerability was already known in 2021 and CISA asked agencies to patch the flaw; however, the targeted government entity did not address the issue, Nextgov reported.

According to CISA, it detected that the victim agency’s system was compromised following a network analysis in April using an intrusion detection system. An incident response engagement was performed for over a month starting in mid-June and a suspected advanced persistent threat activity was observed.

The advisory said the threat actors installed Ngrok reverse proxies on several hosts to maintain persistence and the open-source app Mimikatz to obtain and use credentials to create a domain administrator account. CISA and the FBI urged all organizations with unpatched VMware systems “to assume compromise and initiate threat hunting activities.”

In October, CISA, the FBI and the National Security Agency released a cybersecurity advisory on Chinese state-sponsored actors exploiting known vulnerabilities, which include flaws in Apache Log4j, to steal intellectual property from Defense Industrial Base sector organizations and other entities.