The Cybersecurity and Infrastructure Security Agency said suspected advanced persistent threat actors related to the Iranian government exploited the Log4Shell remote code execution vulnerability to compromise the network of a federal civilian executive branch organization.
CISA said Wednesday it released an advisory outlining indicators of compromise collected from the investigation of the suspected APT activity that targeted an unpatched VMware Horizon server to install crypto mining software.
The agency identified the APT activity on the organization’s network using the EINSTEIN intrusion detection system and found IOCs in its server.
From mid-June through mid-July, CISA conducted an incident response engagement and observed that the threat actors installed XMRig crypto mining software, moved to the domain controller, compromised credentials and distributed Ngrok reverse proxies across several hosts.
CISA unveiled the cybersecurity advisory in collaboration with the FBI to help network defenders detect and implement appropriate measures against related compromises.