Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint Cybersecurity Advisory (CSA) providing information about an incident at a Federal Civilian Executive Branch (FCEB) organization which involved Iranian government-sponsored APT actors exploiting a Log4Shell vulnerability in an unpatched VMware Horizon server.
Over the summer, while conducting an incident response at a federal agency, CISA determined that advanced persistent threat (APT) actors had exploited the Log4Shell vulnerability in an unpatched VMware Horizon server on a federal agency’s network to gain initial access. After obtaining access, the Iranian APT actors installed software and proxies that enabled them to move laterally and maintain persistence in the network.
CISA and the FBI strongly advise all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities. Likewise, if suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, organizations should assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, are encouraged to review this advisory and apply the recommendations mitigations, exercise, test, and validate your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.
Accordingly, the joint CSA includes tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommended mitigations to help organizations defend against this threat. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.