Iranian Hackers Breached Federal Agency Using Log4Shell Exploit

An anonymous reader quotes a report from BleepingComputer: The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability. After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency's network. "In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," the joint advisory reads. The two U.S. federal agencies added that all organizations who haven't yet patched their VMware systems against Log4Shell should assume that they've already been breached and advise them to start hunting for malicious activity within their networks. CISA warned in June that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits. Log4Shell can be exploited remotely to target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data.

Read more of this story at Slashdot.