Các bài viết liên quan:
Iranian government-sponsored threat actors have been blamed for compromising a US federal agency by taking advantage of a Log4Shell vulnerability in an unpatched VMware Horizon server.
Insights shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in response to incident response efforts conducted by the agency between mid-June and mid-July 2022 .
CISA notes: “Cyber threat actors exploited an unpatched Log4Shell vulnerability in an unpatched VMware Horizon server, installed Cryptocurrency Mining XMRig, switched to a domain controller (DC), compromised the credentials, and then implanted a Ngrok reverse proxy on several servers for persistence.” .
LogShell, aka CVE-2021-44228, is a critical remote code execution vulnerability in the widely used Apache Log4j Java-based logging library. The maintainers of the open source project have resolved this issue in December 2021.
The latest development marks Iran’s state-sponsored groups continuing to abuse Log4j vulnerabilities in VMware Horizon servers since the beginning of the year. CISA did not attribute this event to a specific hacking group.
However, a joint recommendation issued by Australia, Canada, the UK and the US in September 2022 criticized Iran’s Islamic Revolutionary Guard Corps (IRGC) for taking advantage of the shortcoming to carry out operations. post-mining.
The affected organization, according to CISA, is believed to have been compromised in early February 2022 by weaponizing the vulnerability to add a new exclusion rule to Windows Defender that lists the entire C:\ drive. allow.
Doing so makes it possible for an adversary to download the PowerShell script without triggering any anti-virus scanning, thus retrieving the exploit electronic money XMRig is stored on the remote server as a ZIP archive.
Initial access continues to allow agents to fetch additional payloads such as PsExec, Mimikatz, and Ngrok, in addition to using RDP for horizontal motion and disabling Windows Defender on endpoints.
“Threat actors have also changed passwords for local admin accounts on some servers for backups if rogue domain admin accounts are detected and terminated,” CISA noted.
Also detected was an unsuccessful attempt to dump the Local Security Authority Subsystem Service (LSASS) process using Windows Task Manager, which was blocked by the anti-virus solution. viruses deployed in an IT environment.
Microsoft, in a report last month, revealed that Cybercrime is targeting logins in the LSASS process due to the fact that it “can store not only the current user’s operating system credentials, but also domain admin credentials.”
“Destroying LSASS credentials is important to attackers because if they successfully dump domain passwords, for example, they can use legitimate tools like,” the tech giant said. PsExec or Windows Management Instrumentation (WMI) to move across the network”.
