Reading:
Threat Actors Target VMware Servers by Exploiting Log4Shell Vulnerability

Threat Actors Target VMware Servers by Exploiting Log4Shell Vulnerability

June 24, 2022

The Log4Shell RCE vulnerability with code CVE-2021-44228 continues to be exploited by state-backed threat actors. Attackers utilize the vulnerability to target VMware Horizon and Unified Access Gateway servers.

By exploiting the Log4Shell vulnerability, attackers can gain lateral movement capability in networks and access systems where sensitive data is stored.

APT groups place loader malware with embedded executables that allow remote command and control (C2) on infected devices.

CISA Warns VMware Server Users

The joint security advisory, published by US Cybersecurity and Infrastructure Security Agency (CISA) and Coast Guard Cyber Command (CGCYBER), shared details of two incidents where threat actors targeted VMware servers by exploiting the Log4Shell vulnerability. 

Incident 1:

In the threat actor hunting conducted by CGCYBER, the attackers exploited the Log4Shell vulnerability to target a company using VMware Horizon. Threat actors, gaining access to the system, uploaded a file named hmsvc[.]exe to the compromised system.

According to the analysis, the file named hmsvc[.]exe was running as NT AUTHORITY\SYSTEM, which is the highest privilege in the Windows system. How the attackers escalated their privileges is unknown.

The hmsvc[.]exe file creates the C:\Windows\System32\Tasks\Local Session Updater, a Scheduled Task that runs malicious code hourly when the first run.

The malicious file contains the 658 dump64[.]exe remote access tool that supports C2 as an embedded executable. Through this file, operations performed on the target Windows system can be logged, additional loads can be loaded and executed, and access to the user interface is provided. 

Incident 2:

CISA observed bidirectional traffic between the victim organization and a possible APT IP address and found that threat actors were gaining access to an unpatched VMware Horizon server using Log4Shell.

Using PowerShell scripts to invoke 109.248.150[.]13 via HTTP after gaining access, the attackers attempted to simultaneously download and run a malware file from 109.248.150[.]13.

The following action of the threat actors was to use RDP to laterally migrate to the organization’s security management server, certificate server, databases containing sensitive data, email relay server, and recovery network. They also hijacked the administrator account credentials.

Finally, they loaded a loader malware containing executable files onto the system. Security researchers think the malware could be a modified version of SysInternals LogonSessions, Du, or PsPing.

Loader Malware Detected by CISA

  • SvcEdge[.]exe
  • Odbccads[.]exe
  • Praiser[.]exe
  • Fontdrvhosts[.]exe
  • winds[.]exe

See VMware’s security advisory for detailed information on the affected products and vulnerability, and this article for mitigation measures.

(CISA states that all unpatched servers are compromised and IoCs should be carefully monitored. (See: MAR-10382254-1 and MAR-10382580-1)

IOCs and TTPs

IOCs:

Type

Indicator

Description

IP Address

104.223.34[.]198

IP address closely associated with the installation of malware on victims.

92.222.241[.]76 

Victim 2 servers communicated with this IP address and sent data to it during a three-week period.

109.248.150[.]13 

Actors attempting to download and execute a malicious file from this address.

104.155.149[.]103 

Appears to be a part of the actors’ C2 infrastructure. 

Network Port

192.95.20[.]8:80

Same description as IP 192.95.20[.]8, but includes the specific destination port of 80, which was identified in logs and during malware analysis.

1389 

This was the most common destination port for Log4Shell exploitation outbound connections. Multiple unique destination addresses were used for the Log4Shell callback.

104.223.34[.]198:443 

IP address closely associated with the installation of malware on victims with the specific destination port of 443.

Scheduled Task

C:\Windows\System32\Tasks\Local Session Update 

Scheduled task created by hmsvc.exe to execute the program hourly.

File Path

C:\Windows\Temp\lnk{4_RANDOM_CHARS}.tmp 

File created by hmsvc.exe with a random four-character filename.

C:\Windows\Temp\lnk<4_RANDOM_NUMS_CHAR S>.tmp

File created by hmsvc.exe with a random four-character filename.

(Source: Log4Shell | CISA )

TTPs:

Tactic

Technique

Initial Access [TA0001]

Exploit Public-Facing Application [T1190

Execution [TA0002]

Command and Scripting Interpreter: PowerShell [T1059.001]

Scheduled Task/Job: Scheduled Task [T1053.005]

Persistence [TA0003]

Server Software Component: Web Shell [T1505.003]

Defense Evasion [TA0005]

Masquerading: Masquerade Task or Service [T1036.004]

Credential Access [TA0006]

 

Lateral Movement [TA0008]

Remote Services: Remote Desktop Protocol [T1021.001]

Collection [TA0009

Archive Collected Data: Archive via Utility [T1560.001]

Input Capture: Keylogging [T1056.001]

Command and Control [TA0011]

Application Layer Protocol: Web Protocols [T1071.001]

Encrypted Channel: Symmetric Cryptography [1573.001]

Ingress Tool Transfer [T1105]

Non-Standard Port [T1571]

 

Proxy [T1090]

(Source: Log4Shell | CISA )

Use SOCRadar® FOR FREE 1 YEAR

With SOCRadar® Free Edition, you’ll be able to:

  • Prevent Ransomware attacks with Free External Attack Surface Management
  • Get Instant alerts for fraudulent domains against phishing and BEC attacks
  • Monitor Deep Web and Dark Net for threat trends
  • Get vulnerability intelligence when a critical zero-day is disclosed
  • Get IOC search & APT tracking & threat hunting in one place
  • Get notified with data breach detection

Free for 12 months for one corporate domain and 100 auto-discovered digital assets. Get Free Access.