November 17, 2022

Iranian government-backed hackers allegedly compromised the Federal Civilian Executive Branch (FCEB) for months in order to deploy XMRig cryptomining malware, according to the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

As early as February 2022, advanced persistent threat (APT) attackers gained access by exploiting a Log4Shell vulnerability in an unpatched VMware Horizon system.

The APT actors gained initial access through the Log4Shell vulnerability and then installed the crypto mining software XMRig. To maintain persistence, the attackers moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts.

The Log4Shell can be remotely exploited to target vulnerable servers exposed to local or Internet access, allowing attackers to move laterally across breached networks and access internal systems containing sensitive data.

The CISA and FBI also issued recommendations, advising all organizations that have not yet patched their VMware systems against Log4Shell to assume that they have already been breached and to begin looking for malicious activity within their networks.

The sources for this piece include an article in BleepingComputer.