CISA and the FBI issues warning on Iran-backed threat actors

Iranian government-backed hackers allegedly compromised the Federal Civilian Executive Branch (FCEB) for months in order to deploy XMRig cryptomining malware, according to the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

As early as February 2022, advanced persistent threat (APT) attackers gained access by exploiting a Log4Shell vulnerability in an unpatched VMware Horizon system.

The APT actors gained initial access through the Log4Shell vulnerability and then installed the crypto mining software XMRig. To maintain persistence, the attackers moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts.

The Log4Shell can be remotely exploited to target vulnerable servers exposed to local or Internet access, allowing attackers to move laterally across breached networks and access internal systems containing sensitive data.

The CISA and FBI also issued recommendations, advising all organizations that have not yet patched their VMware systems against Log4Shell to assume that they have already been breached and to begin looking for malicious activity within their networks.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web