CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester. [CISA Cybersecurity Alerts]

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch organization where CISA observed suspected advanced persistent threat activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
AA22-320A Alert, Technical Details, and Mitigations …

alert alerts apt cisa cisa alert compromise credential crypto crypto miner cybersecurity federal government harvester miner network sponsored