The activity started from IP address 104.155.149103, which appears to be part of the actors’ C2 infrastructure. In the same period, CISA observed the actors attempt to download and execute a malicious file from 109.248.15013. In an attack that took place at the end of January, threat actors exploited the Log4Shell in an unpatched VMware Horizon server, then used PowerShell scripts to connect a remote server (109.248.15013) via Hypertext Transfer Protocol (HTTP) to retrieve additional PowerShell scripts. “The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network.” reads the joint alert. In one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.īased on information gathered as part of two incident response engagements, the agencies said that the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed “hmsvc.exe” that’s equipped with capabilities to log keystrokes and deploy additional malware. This alert includes information about APT actors’ tactics, techniques, and procedures (TTPs), along with indicators of compromise related to the loader malware. In one attack documented by the government experts, threat actors were able to move laterally inside the network and collect and exfiltrate sensitive data. The CVE-2021-44228 flaw made the headlines in December, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability ( aka Log4Shell) that affects the Apache Log4j Java-based logging library.
“CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches.” reads the advisory.
0 kommentar(er)
