23 June 2022

BLEEPING COMPUTER: Threat Actors, Advisories, Malicious Activities, Exploits, Vulnerabilities, Cybersecurity Analysis

All in a day... and yesterday

PowerShell

NSA shares tips on securing Windows devices with PowerShell

The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines.

______________________________________________________________________________

TODAY

CISA: Log4Shell exploits still being used to hack VMware servers

CISA

  • June 23, 2022
  • 03:28 PM

CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability.

Attackers can exploit Log4Shell remotely on vulnerable servers exposed to local or Internet access to move laterally across networks until they gain access to internal systems containing sensitive data.

After its disclosure in December 2021, multiple threat actors began scanning for and exploiting unpatched systems, including state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as several access brokers commonly used by ransomware gangs.

Today, in a joint advisory with the US Coast Guard Cyber Command (CGCYBER), the cybersecurity agency said that servers have been compromised using Log4Shell exploits to gain initial access into targeted organizations' networks.

After breaching the networks, they deployed various malware strains providing them with the remote access needed to deploy additional payloads and exfiltrate hundreds of gigabytes of sensitive information.

"As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2)," the advisory revealed.

"In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data."

Unpatched VMware systems should be considered compromised

Organizations that haven't yet patched their VMware servers are advised to tag them as hacked and start incident response (IR) procedures.

The steps required for proper response in such a situation include the immediate isolation of potentially affected systems, collection and review of relevant logs and artifacts, hiring third-party IR experts (if needed), and reporting the incident to CISA.

"CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1," the two agencies said.

"If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA."

Today's advisory comes after VMware has also urged customers in January to secure Internet-exposed VMware Horizon servers against ongoing Log4Shell attacks.

Since the start of the year, VMware Horizon servers have been targeted by Chinese-speaking threat actors to deploy Night Sky ransomware, the Lazarus North Korean APT to deploy information stealers, and the TunnelVision Iranian-aligned hacking group to deploy backdoors.

Until you can install patched builds by updating all affected VMware Horizon and UAG servers to the latest versions, you can reduce the attack surface "by hosting essential services on a segregated demilitarized (DMZ) zone," deploying web application firewalls (WAFs), and "ensuring strict network perimeter access controls."

______________________________________________________________________________

LATEST ARTICLES

Microsoft Azure

Get certified in cloud computing with this Microsoft Azure prep bundle

As cloud computing becomes more ubiquitous, getting certified in it can help your career. The Complete Microsoft Azure Certification Prep Bundle helps you master the cloud for $34.99, 97% off the $1194 MSRP.

  • BleepingComputer Deals
  • June 23, 2022
  • 02:11 PM
  • Comment 0
  • Phone call

    Spyware vendor works with ISPs to infect iOS and Android users

    Google's Threat Analysis Group (TAG) revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools.

  • Microsoft Edge

    Microsoft aims to make Edge the go-to browser for gaming

    Microsoft wants to make Edge the go-to browser for gaming, with new features unveiled today, including a new gaming portal and the public release of its Clarity boost upscaling feature when using Xbox Cloud Gaming.

  • DDoS

    Lithuania warns of rise in DDoS attacks against government sites

    The National Cyber Security Center (NKSC) of Lithuania has issued a public warning about a steep increase in distributed denial of service (DDoS) attacks directed against public authorities in the country.

  • malware skull

    Malicious Windows 'LNK' attacks made easy with new Quantum builder

    Malware researchers have noticed a new tool that helps cybercriminals build malicious .LNK files to deliver payloads for the initial stages of an attack.

  • Nichirin

    Automotive hose maker Nichirin hit by ransomware attack

    Nichirin-Flex U.S.A, a subsidiary of the Japanese car and motorcycle hose maker Nichirin, has been hit by a ransomware attack causing the company to take the network offline.

  • Hacker

    Chinese hackers use ransomware as decoy for cyber espionage

    Two Chinese hacking groups conducting cyber espionage and stealing intellectual property from Japanese and western companies are deploying ransomware as a decoy to cover up their malicious activities.

  • Metamask

    New MetaMask phishing campaign uses KYC lures to steal passphrases

    A new phishing campaign is targeting users on Microsoft 365 while spoofing the popular MetaMask cryptocurrency wallet provider and attempting to steal recovery phrases.

  • PowerShell

    Get more out of Windows with this PowerShell training bundle

    PowerShell is a useful tool for getting on top of your to-do list and freeing up your time. The 2022 Windows PowerShell Certification Bundle helps you get the most from it for $19.99, 98% off the $1200 MSRP.

    • BleepingComputer Deals
    • June 23, 2022
    • 07:12 AM
    • Comment 0
  • Conti

    Conti ransomware hacking spree breaches over 40 orgs in a month

    The Conti cybercrime syndicate runs one of the most aggressive ransomware operations and has grown highly organized, to the point that affiliates were able to hack more than 40 companies in a little over a month.

  • > Related Articles:

    DHS orders federal agencies to patch VMware bugs within 5 days

    Cybersecurity agencies reveal top initial access attack vectors

    FBI, CISA, and NSA warn of hackers increasingly targeting MSPs

    US govt: Paying Karakurt extortion ransoms won’t stop data leaks

    CISA warns admins to patch actively exploited Spring, Zyxel bugs

    No comments: