The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware.
The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability.
After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency’s network.
“In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” the joint advisory reads.
The two U.S. federal agencies added that all organizations who haven’t yet patched their VMware systems against Log4Shell should assume that they’ve already been breached and advise them to start hunting for malicious activity within their networks.
CISA warned in June that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits.
Log4Shell can be exploited remotely to target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data.
Ongoing Log4Shell exploitation by state hackers
After its disclosure in December 2021, multiple threat actors almost immediately began scanning for and exploiting systems left unpatched.
The list of attackers includes state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as access brokers known for their close ties with some ransomware gangs.
CISA also advised organizations with vulnerable VMware servers to assume they were breached and initiate threat-hunting activities.
VMware also urged customers in January to secure their VMware Horizon servers against Log4Shell attack attempts as soon as possible.
Since January, Internet-exposed VMware Horizon servers have been hacked by Chinese-speaking threat actors to deploy Night Sky ransomware, the Lazarus North Korean APT to deploy information stealers, and the Iranian-aligned TunnelVision hacking group to deploy backdoors.
In today’s advisory, CISA and the FBI strongly advised organizations to apply recommended mitigations and defensive measures, including:
Updating affected VMware Horizon and unified access gateway (UAG) systems to the latest version.
Minimizing your organization’s internet-facing attack surface.
Exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the CSA.
Testing your organization’s existing security controls against the ATT&CK techniques described in the advisory.