The change in policy on a system may be a way to detect malicious use of PowerShell.ĩ. Set PowerShell execution policy to execute only signed scripts. Keep all systems and software updated to the latest patched versions.Ĩ. Ensure VPN client software and VPN servers are patched with the latest security updates released by the vendor.ħ. Ensure Domain Accounts follows the least privilege principle and ensure Two-Factor authentication is enabled on all Business Email Accounts.Ħ. Ensure VMware Horizon servers are updated with the latest security patches.ĥ. Ensure Microsoft Windows Workstations, Microsoft Exchange Server and Microsoft IIS Server are updated with the latest security patches.ģ. Block the threat indicators at their respective controls.Ģ. The hackers behind the attack intend to use the attack to establish persistent communication with a command and control server that could then be used to carry out other malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware. Post exploitation, the threat actors use encoded PowerShell commands to download a second-stage payload (such as Cobalt Strike beacons, Crypto miner or ransomware) to the victim systems.This enables an attacker to establish a stealthy persistence method.The ‘VMBLastSG’ service is forcibly restarted to initiate the listener using Blast Secure Gateway for any IP address on port 8443.The malicious Java class attempts to exploit the ws_TomcatService.exe process to spawn either cmd.exe or powershell.exe as child processes, further injecting a web shell to absg-worker.js.The attack exploits the Log4Shell vulnerability in the Apache Tomcat service, which is embedded within VMware Horizon, resulting in the Horizon server calling back over LDAP protocol and loading malicious Java class.In ongoing threat campaigns, the attackers attempt to initiate the attack via Log4Shell payload similar to $ targeting vulnerable VMware Horizon servers.Initial Access Broker (IAB) group Prophet Spider and an unknown threat group are actively attempting to exploit the Log4j vulnerability in VMware Horizon.
0 kommentar(er)
