The PowerShell scripts, observed in the production environment of a second organization, facilitated lateral movement, enabling the APT actors to implant loader malware containing executables that include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute next-stage binaries.įurthermore, the adversarial collective leveraged CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager that came to light in April 2022, to deliver the Dingo J-spy web shell. The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network. Successful exploitation of the flaw could enable an attacker to send a specially-crafted command to an affected system, enabling the actors to execute malicious code and seize control of the target.īased on information gathered as part of two incident response engagements, the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed "hmsvc.exe" that's equipped with capabilities to log keystrokes and deploy additional malware. Log4Shell, tracked as CVE-2021-44228 (CVSS score: 10.0), is a remote code execution vulnerability affecting the Apache Log4j logging library that's used by a wide range of consumers and enterprise services, websites, applications, and other products. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command-and-control (C2). Multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and servers.
0 kommentar(er)
