Threat actor penetrated an unnamed US agency exploiting Log4Shell vulnerability in an unpatched VMware Horizon server, the US cybersecurity agency said.
CISA conducted an incident response management at a Federal Civilian Executive Branch Iran-sponsored actor breached US federal agency (FCEB) organization this summer, suspecting advanced persistent threat (APT) activity.
The threat actor behind the attack exploited a known vulnerability in a popular logging library Log4j.
The server the federal agency was using was unpatched. As a result, threat actors managed to install crypto mining software, move laterally to the domain server, compromise credentials, and implant Ngrok reverse proxies to maintain persistence.
CISA and FBI assess that Iranian APT actors were behind the cyberattack but haven’t attributed it to a particular Iranian threat actor.
The threat actor was observed to execute Mimikatz to harvest credentials and create a rogue domain administrator account to propagate to several hosts within the network.
Threat actors disabled Windows Defender to install Ngrok executables and configuration files upon logging in.
They also changed the password for the local administrator account should the rogue domain administrator account get detected.
“CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities.”
Your email address will not be published. Required fields are markedmarked