Iranian hackers breached US govt agency, deploy crypto miner
CISA is warning affected firms to assume compromise
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
An unnamed Iranian state-sponsored hacking group managed to compromise theendpointsbelonging to an American Federal Civilian Executive Branch (FCEB) organization, and used its access to deploy a cryptocurrency miner.
The Cybersecurity and Infrastructure Agency (CISA)publishedthe findings earlier this week. As per its report, CISA was brought in, in mid-June, to investigate suspicions of advanced persistent threat (APT) activity.
Following a month-long investigation that ended in July 2022, the agency concluded that an Iranian state-sponsored threat actor managed to compromise an unpatched VMware Horizon server by leveraging the infamous log4j vulnerability, Log4Shell.
Patching VMware systems
The group used the access to install XMRig, a known cryptocurrency miner that uses the device’s computing power to generate Monero, a privacy-first cryptocurrency that’s almost impossible to track and trace.
The actors also moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies, on several hosts, in order to maintain persistence on the network.
Following the release of these findings, CISA, together with the FBI, urged all organizations with similar VMware systems to apply the available patches immediately, or load known workarounds.
Check out the best malware protection services right now>Log4j could be the most serious security threat ever seen, CISA head warns>Log4Shell can hack your iPhone and even a Tesla
All organizations with affected VMware systems were told to “assume compromise” and initiate threat hunting activities.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts,” the announcement reads.
“All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activity.”
Log4Shell, which was first discovered late last year, was described by CISA director Jen Easterly as “one of the most serious, if not the most serious” vulnerability she’s ever seen.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
Belkin SoundForm Wired Earbuds with USB-C Connector review: sadly, these live up to their nominal price tag
