In October, CISA, the FBI and the National Security Agency released a cybersecurity advisory on Chinese state-sponsored actors exploiting known vulnerabilities, which include flaws in Apache Log4j, to steal intellectual property from Defense Industrial Base sector organizations and other entities. CISA and the FBI urged all organizations with unpatched VMware systems “to assume compromise and initiate threat hunting activities.” A VMware advisory showed CVSS 10 (as severe as it gets) vulnerability across every single exposed VMware product. Randori has been in contact with VMware and is providing relevant information to their teams but will not release proof-of-concept code. VMware's Threat Analysis unit has overserved active exploitation attempts and is continuously monitoring adversary activities. The Randori Attack Team can confirm exploitability of VMWare products in live environments (VMSA-2021-0028) via Log4j (CVE-2021-44228) aka Log4Shell. Cybersecurity company Sophos said that multiple adversaries are targeting vulnerable Horizon servers, paving the way for persistent access and future ransomware attacks. Virtualisation giant VMware has confirmed that 40 of its products are exposed to the risk of attack and takeover by an unauthenticated remote user as a result of Log4j vulnerability exploitation. This Remote Code Execution (RCE) vulnerability in Apache Log4j2 allows malicious actors to load and execute arbitrary code from LDAP servers when the Log4j message lookup substitution feature has been enabled. The Log4Shell remote code execution vulnerability, in particular, can be exploited remotely on servers exposed to local or Internet access to enable attackers to move laterally across a network. The advisory said the threat actors installed Ngrok reverse proxies on several hosts to maintain persistence and the open-source app Mimikatz to obtain and use credentials to create a domain administrator account. Attackers use the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers. An incident response engagement was performed for over a month starting in mid-June and a suspected advanced persistent threat activity was observed. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. The vulnerability was already known in 2021 and CISA asked agencies to patch the flaw however, the targeted government entity did not address the issue, Nextgov reported.Īccording to CISA, it detected that the victim agency’s system was compromised following a network analysis in April using an intrusion detection system. The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. The infiltrators managed to access employee credentials and install XMRig cryptocurrency mining software in the agency’s system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |