The advanced persistent threat (APT) attackers gained entry by exploiting a Log4Shell vulnerability in an unpatched VMware Horizon system. The victim was a federal civilian executive branch agency and may have been compromised as early as February 2022.
Other organizations should now be on alert in case they, too, have been similarly compromised, CISA and the FBI said in a joint cybersecurity advisory released today.
WHAT HAPPENED?
CISA said it discovered APT activity on the organization’s network in April 2022, and conducted “an incident response engagement” from mid-June through mid-July.
It found that APT actors used the Log4Shell vulnerability to get initial access, then installed crypto mining software XMRig. The attackers then “moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.”
WHAT TO DO ABOUT IT
Organizations “with affected VMware systems that did not immediately apply available patches or workaround” should assume they’ve been similarly hacked and should begin threat hunting. CISA and the FBI outline the APT actor’s tactics, techniques and procedures, relevant indicators of compromise and relevant mitigations here.
Organizations that detect potential signs of compromise or improper access should assume that the attackers have been able to move laterally through their organizations. That calls for examining any connected systems as well as auditing privileged accounts, CISA said in its alert.
CISA urges organizations to take certain steps before patching or conducting other mitigations:
- “Immediately isolate affected systems.
- Collect and review relevant logs, data, and artifacts. Take a memory capture of the device(s) and a forensic image capture for detailed analysis.
- Consider soliciting support from a third-party incident response organization that can provide subject matter expertise to ensure the actor is eradicated from the network and to avoid residual issues that could enable follow-on exploitation.
- Report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or your local FBI field office, or FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov.”
CISA and the FBI advise that even organizations that did not find signs of compromise adopt mitigations that can help defend against these kinds of malicious activities:
- Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
- Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).
- Minimize the Internet-facing attack surface.
- Use best practices for identity and access management (IAM).
- Audit domain controllers to log successful Kerberos Ticket Granting Service (TGS) requests and ensure the events are monitored for anomalous activity.
- Create a deny list of known compromised credentials and prevent users from using known compromised passwords.
- Secure credentials by restricting where accounts and credentials can be used and by using local device credential protection features.
CISA and the FBI also urged organizations to test, exercise and validate their security programs against the observed threat behaviors. In their advisory, CISA and the FBI associate the behaviors with specific MITRE ATT&CK for Enterprise framework tactics and techniques.
They recommend organizations:
- Select an ATT&CK technique described in the advisory.
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes and technologies, based on the data generated by this process.
