CISA Warns of Iranian APT Actors Targeting US Federal Networks

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have identified Iranian government-sponsored advanced persistent threat (APT) actors targeting a US Federal Civilian Executive Branch (FCEB) organization. The attackers gained initial access by exploiting the Log4Shell vulnerability, deployed the XMRig cryptominer, and utilized lateral movement techniques to infect additional hosts within the victim's network.

The suspected campaign began in February 2022 when threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. After achieving initial access, the adversaries modified Windows Defender settings and allowed certain directories to bypass antivirus scanning. Subsequently, they downloaded malicious files to establish persistence and conduct cryptojacking operations.

Cryptojacking involves the unauthorized use of victims' resources for mining cryptocurrencies. In this instance, the Iranian APT actors downloaded XMRig cryptocurrency mining software to the victim's VMware Horizon server. The attackers then escalated their activities by moving from the compromised VMware Horizon server to a VMware VDI-KMS host using Remote Desktop Protocol (RDP). They transferred tools such as Mimikatz for credential dumping, PsExec for lateral movement, and ngrok for remote access and persistence.

CISA and the FBI recommend that organizations continuously validate their security controls against the techniques and tools used by threat actors, aligning with the MITRE ATT&CK framework. This validation process involves testing security technologies, analyzing their performance, and continually tuning the security program to counter evolving threats.