State-backed Iranian threat actors are exploiting a Log4Shell vulnerability inside an unpatched VMware server at a federal civilian agency, the Cybersecurity and Infrastructure Security Agency warned in a joint advisory with the FBI Wednesday.
After conducting an investigation from mid-June into July, authorities discovered that attackers installed XMRig cryptomining software and moved laterally into a domain controller. The actors stole credentials and installed Ngrok reverse proxies to maintain persistence inside the network.
All organizations with affected VMware systems that failed to patch or apply workarounds should assume compromise and hunt for threats, according to the advisory. If initial access or compromise is suspected, organizations should investigate any connected systems and conduct audits on privileged accounts.
“Today’s advisory highlights the importance of continued focus on mitigating known exploited vulnerabilities such as Log4Shell and the need for all organizations to implement effective detections to proactively identify malicious activity before damaging impacts occur,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in an emailed statement.
While government and private sector organizations worked urgently to mitigate assets running vulnerable versions of Log4j, malicious cyber actors moved quickly to exploit vulnerable systems and are still doing so, Goldstein said.
It is not immediately known why the agencies are issuing an advisory at this particular time; it has been months since the prior activity was observed.
Analysts at Mandiant said criminal actors may be working with Iran in a way that makes it difficult to distinguish between what's criminal or nation-state activity.
“Iran and their peers depend on contractors to carry out cyber espionage and attack activities,” John Hultquist, head of intelligence analysis at Mandiant, said in a statement. “Many of these contractors moonlight as criminals and it can be difficult to distinguish this activity from the work at the behest of the state.”
Sonatype CTO Brian Fox said about 38% to 40% of Log4j downloads, or about, 20,0000, are still vulnerable to Log4Shell.
“The advisory should serve as a warning that everyone in the industry, especially those in the federal space, to not lose sight of continuing to find straggling systems with potentially vulnerable versions,” Fox said via email.