![]() The attackers employed a Log4Shell payload similar to $, then launches a PowerShell command, spawned from ws_TomcatService.exe. The CVE-2021-44228 flaw made the headlines in December, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability ( aka Log4Shell) that affects the Apache Log4j Java-based logging library.Īccording to the NHS, threat actors are looking for unpatched VMWare Horizon servers to exploit the Log4Shell vulnerability. The above list represents a very small snapshot of the widespread effect. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). Multiple VMware products were identified to be at risk from the Log4j issues, including VMware Horizon, vCenter Server and vRealize Operations. ![]() The ransomware group used the exploit to target internal devices that are not protected. Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. In mid-December, experts reported that the Conti ransomware gang was the first professional group that leveraged Log4Shell exploit to compromise VMware vCenter Server installs. CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers. The security team of the UK National Health Service (NHS) said that it detected an unknown threat actor using the Log4Shell vulnerability to hack VMWare Horizon servers and plant web shells for future attacks. Once installed a web shell, threat actors can use it to carry out a broad range of malicious activities, such as deploying data exfiltration or deployment of ransomware. The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware. Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.” On Monday, Microsoft published a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the. “The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory Interface TM (JNDI) via Log4Shell payloads to call back to malicious infrastructure. (Jaiz Anuar / Getty Images) Huntress reports that attackers have started to exploit the Log4Shell vulnerabilities revealed in December 2021 on servers running VMware Horizon to.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |