![]() ![]() ![]() This exclusion rule allowed the listing of the entire drive c:/ on the exclusion list. Powershell try powershell -enc “$BASE64 encoded payload to download next stage and execute it” In the exploit payloads, the actors added an exclusion rule to Windows Defender, which was run by the following PowerShell command:. There were originally unpatched VMware Horizon servers deployed by the organization that was detected by Iranian APT threat actors as part of an APT attack.Īfterward, the following malicious IP address was used by the threat actors to establish a connection, and this connection lasted for 17.6 seconds:. CISA also observed a DNS query for us‐nation‐nycf that resolved back to 4 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.” said in the CISA report.Ī remote exploit of Log4Shell can allow attackers to access sensitive information by moving laterally across breached networks that expose vulnerable servers. “Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. However, later it was discovered that the LDAP server IP address had been used by the threat actors to deploy the Log4Shell vulnerability. The organization’s VMware server was being accessed via HTTPS from the following IP address:. There are multiple threat actors, including state-sponsored hacking groups, who are still preying upon VMware Horizon and Unified Access Gateway (UAG) servers by exploiting the Log4Shell vulnerability. Laterally moved to the domain controller (DC). ![]() VMware Horizon servers are found to be vulnerable to the Log4Shell vulnerability which is associated with this known malicious IP address.īy exploiting the Log4Shell flaw threat actors installed XMRig crypto miner and then performed the following things:. Exploiting Log4Shell FlawĬISA discovered that bidirectional traffic was flowing between the network and an IP address that was known to be malicious. Recently, the FBI and CISA published a joint advisory in which they disclosed an Iranian APT group compromised the Federal Civilian Executive Branch (FCEB) organization network Domain controller by exploiting the Log4Shell RCE flaw (CVE-2021-44228) to deploy XMRig crypto-mining malware and credential Harvester.Īn Iranian APT Hacker group bypassed an unpatched VMware Horizon server which allowed them to compromise the federal network and maintained persistence within the network of the FCEB network with the help of reverse proxies.ĬVE-2021-44228 (log4Shell) was a zero-day vulnerability in Log4j, a popular Java logging framework involving arbitrary code execution, and affects a wide range of products, including the VMware Horizon.ĬISA observed the attackers attempting to dump the Local Security Authority Subsystem Service (LSASS) process with the task manager but this was stopped by additional anti-virus the FCEB organization had installed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |