Federal Civilian Executive Branch (FCEB) Breached – Log4Shell Resurfaces with a Bang

Exploiting vulnerabilities is one of the best methods for cyber criminals to infiltrate systems. Security flaws vary, but recently, one bug has stood out – the Log4Shell vulnerability. This time around, an Iranian-backed threat group has exploited the bug, allowing themselves to breach Federal Civilian Executive Branch (FCEB) in the process.

Once the group got in, they were able to deploy XMRig cryptomining malware. Just like any cybercriminal organization, these threat actors are definitely after the agency’s internal systems where it stores sensitive data.

The Log4Shell vulnerability has been a problem for quite some time now, and it’s still being exploited worldwide. What is this breach about? How is the FBI handling it? Find out below.

The FCEB Breach – XMRig Says Salām!

When it comes to vulnerabilities, no company/organization/individual is safe. Anyone out there could be waiting for the right moment to strike and exploit.

A while ago, Sophos disclosed a bug that impacted its Firewall. Not long before that, General Bytes – the Bitcoin ATM manufacturer, confirmed that hackers had harvested cryptocurrency from its users.

Now, CISA and FBI have released a joint advisory stating that Iranian hackers have breached the Federal Civilian Executive Branch (FCEB), deploying XMRig cryptomining malware within their systems.

According to the FBI and CISA’s joint advisory:

“In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.

CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.”

As seen in the report, the cryptomining malware initiates reverse proxies on the servers to maintain persistence within the agency’s network.

It has been tough for every single organization out there. That’s why federal agencies are urging those whose VPware systems have not been patched yet to take proper precautions immediately.

Federal Agencies Are Here to Help!

Log4Shell is a dangerous vulnerability that’s been preyed on by cybercriminals all over the world. In fact, the flaw has been around for a year or so, and it’s still being exploited.

Any company with unpatched systems might be impacted. The FBI advises them to scan their systems and check for any suspected malicious activity.

To protect vulnerable systems, the FBI and CISA gave a couple of recommendations, including:

• Updating affected VMware Horizon and unified access gateway (UAG) systems to the latest version.
• Minimizing your organization’s internet-facing attack surface.
• Exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the CSA.
• Testing your organization’s existing security controls against the ATT&CK techniques described in the CSA. 

VMware Horizon servers have become the main targets for cybercriminals. The recommendations above reflect “the steps” you should take to avoid becoming a victim. Follow what CISA has recommended – they know what’s best for your online safety.

The FCEB Breach – From Iran with Love

Iranian hackers have been in the spotlight for quite some time now. They’ve been targeting big companies and they’re doing pretty well in terms of success.

A while ago, CISA also reported that Iranian hackers had gained access to Albanian systems. Once they got in, they started performing several consecutive attacks.

That’s not all. A couple of months ago, Iranian hackers launched cyberattacks against U.S. and global critical infrastructure. Seems like groups in the country have been keeping themselves busy.

CISA has been keeping an eye on similar attacks. If you feel like you’ve fallen victim to such breaches, make sure to follow everything the agency says. You’ll be able to protect yourself and even fend off any future attacks.