Suspected Iranian APT accessed federal server via Log4j vulnerability

A suspected Iranian advanced persistent threat (APT) group accessed the server of a federal agency by exploiting the Log4j vulnerability. The activity is believed to have begun in February 2022 and was first detected by the Cybersecurity and Infrastructure Security Agency (CISA) two months later. 

According to a joint advisory published Wednesday by CISA and the Federal Bureau of Investigation, the threat actors breached a VMware Horizon server and installed cryptomining software. They also accessed the domain control, which responds to security authentication requests, compromised credentials and installed a reverse proxy service called Ngrok. Investigators linked the activity to an IP address associated with attempts to exploit the Log4j vulnerability. It is unclear from the advisory how the agencies determined an Iranian connection. 

The agencies did not announce which federal organization was breached, saying only that it was in the Federal Civilian Executive Branch (FCEB), a classification that includes a swathe of executive agencies both small and large. 

“CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities,” they wrote. 

Since it was first discovered in December 2021, CISA has required government agencies to install patches for the Log4Shell vulnerability. Despite efforts to contain its spread, however, issues continue to pop up, including recent attacks by a group of hackers with suspected ties to the Chinese government.