virtual shield

APT broke into a federal agency using Log4Shell

In a joint cybersecurity advisory, two US federal agencies have revealed that an attacker sponsored by the Iranian government broke into a federal network and used their access to mine cryptocurrency and steal credentials.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) use the advisory to detail the tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs) they learned from observing the attack, which used the Log4Shell vulnerability (CVE-2021-44228) to gain access to an unpatched VMware Horizon server.

CISA first warned that vulnerable VMware Horizon servers were being actively exploited in June. Since then threat actors of all kinds and origin will have thoroughly scanned for any unpatched servers that are accessible online. The situation is so bad that the joint advisory carries a blunt message for organizations that didn’t immediately patch their servers, urging them to “assume compromise and initiate threat hunting.”


Log4Shell was a zero-day vulnerability in a widely used software building block called Log4j. This open source logging library, written in Java, is used by millions of applications, many of them incredibly popular. The easy to trigger attack could be used to perform remote code execution (RCE) on vulnerable systems. Dealing with the problem meant first creating a patch for the Log4j library, which was done swiftly, and then rolling out patches for all the applications that used the library. Patches for VMWare Horizon have been available for quite some time.

CISA and other cybersecurity institutions have warned repeatedly that the Log4Shell vulnerability is actively exploited and used to target organizations using VMware Horizon and Unified Access Gateway servers.

The investigation

The threat actor (suspected to be of Iranian origin, although the advisory does not explain why) first installed XMRig cryptomining software—a very popular miner that we often see on compromised computers. After that they moved laterally to the domain controller (DC), compromised credentials, and then implanted ngrok reverse proxies on several hosts to maintain persistence.

CISA conducted an incident response engagement at the compromised Federal Civilian Executive Branch (FCEB) organization and found that in February 2022, the threat actors exploited Log4Shell to gain initial access to the organization’s unpatched VMware Horizon server. Even though CISA did not reveal the affected organization or the threat actor, the Washington Post reports that it was the US Merit Systems Protection Board, and that it was infiltrated by the group Nemesis Kitten.

The presence of the cryptominer is a little odd. The group is said to work for monetary gain on the side, but it could also have left the miner in an attempt to cover up its more serious spying activities.

For lateral movement, the threat actors reportedly used RDP and the built-in Windows user account DefaultAccount to move to a VMware Virtual Desktop Infrastructure – Key Management Service host.

To further their grip on the compromised system the threat actor downloaded the following tools:

  • PsExec, a Microsoft-signed tool for system administrators that lets you execute processes on other systems.
  • Mimikatz, an open-source application used to steal administrator passwords from memory.
  • Ngrok, a reverse proxy that was used to proxy an internal service on to the Internet, bypassing typical firewall controls.

The threat actor also changed the password for the local administrator account on several hosts as a backup, should the rogue domain administrator account they created get detected and terminated.


The advisory provides a number of actionable pieces of advice to avoid falling prey to this type of threat actor. Some are specific for VMWare Horizon users but others are more general in nature.

VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base 87073 can help you determine which VMware Horizon components are vulnerable, while KB87073 and KB87092 provide information about temporary workarounds.

CISA urges organizations to minimize the internet-facing attack surface by hosting essential services on a segregated DMZ, and to use best practices for identity and access management (IAM), such as phishing resistant MFA, strong passwords, and regular auditing of administrator accounts and permissions.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.