Attack Graph Response to US-CERT Alert (AA22-174A): Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

AttackIQ has released two new fully featured attack graphs emulating the tactics, techniques, and procedures (TTPs) used by likely nation-state adversaries that continue exploiting the Log4Shell vulnerability in VMware Horizon Systems. Read More

Sectors Targeted: Defense Industrial Base, Financial Services, Education, Hospitality

Late last week we published a blog post that announced new malware-based scenarios associated with nation-state adversaries that are actively exploiting the Log4Shell vulnerability in VMware Horizon systems as reported in US-CERT Alert AA22-174A. Today we follow that release with two new full-featured attack graphs that emulate the initial post-compromise behaviors used by those threat actors.

This added content not only seeks to validate signature-based protection but also recreates the actions taken by the adversary to validate our customers’ security posture against anomalous behavior including malicious network activity. The security alert identified two separate victims who were both compromised by the same initial infection vector but observed different methods of persistence and lateral movement.

Validating your security program performance against these specific threat actor behaviors is paramount in reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:

  1. Evaluate security control performance against multiple paths the same actor may take after their initial compromise
  2. Assess the security posture of common living off the land discovery techniques that adversaries use to blend in with administrative activity
  3. Continuously validate detection and prevention pipelines beyond the Log4Shell exploit as actors will swap initial access methods but still perform similar behaviors post compromise.

Attack Graph – Log4Shell Exploitation leads to Scheduled Task Persistence and Reconnaissance – Victim 1

This first Attack Graph starts immediately after Log4Shell exploitation and initial access by the adversary. Once initial access is achieved, the actor’s trojanized Sysinternals tools are saved to disk and executed using the tool’s legitimate filenames.

Ingress Tool Transfer (T1105): Download and save the original samples of the actor’s trojanized executables.

Masquerading: Match Legitimate Name or Location (T1036.005): Execute an AttackIQ executable using the name of a legitimate Microsoft application.

After the malware is executed the first time, persistence is set up using a Scheduled Task with the name “Local Session Updater.” The final payload is decrypted from the trojanized tool and communication is established with the command-and-control server over port 443.

Scheduled Task (T1053.005): The Windows Task Scheduler is used to create a task that will execute a command at startup.

Non-Standard Port (T1571): The command-and-control communications are completed over port 443 but are not using the traditional HTTPS protocol. This scenario communicates over port 443 but doesn’t perform the traditional SSL handshake.

At this stage, commands are sent to the implant to perform common system reconnaissance techniques that inform the actors about the victim endpoint and network environment. The profiled data is then sent to the command-and-control server using the same port as before.

System Information Discovery (T1082): Execute native commands like “systeminfo” or “lshw” to learn about the system hardware configuration.

System Owner / User Discovery (T1033): Live off the land by running “whoami” and “users” to gain details about the currently available accounts and permission groups.

System Network Configuration Discovery (T1016): Run built-in tools and commands to get routing, network adapter, network shares, and connected domain controller information.

Process Discovery (T1057): “Tasklist” is executed as a command process and the results are saved to a temporary location.

Attack Graph – Log4Shell Exploitation leads to Lateral Movement over RDP and Reconnaissance – Victim 2

The second victim identified in the US-CERT alert experienced slightly different threat actor techniques in the early stages of the attack. This attack graph starts with the discovery of security software running on the host, a check-in with the command-and-control server, and the attempt to laterally move to other systems using remote desktop.

Security Software Discovery (T1518.001): A PowerShell script is executed to determine which software has been installed as an ‘AntiVirusProduct’ class.

Remote Services: Remote Desktop Protocol (T1021.001): Use common credentials to attempt to remote access another Windows system using the native Remote Desktop Protocol (RDP) connection.

The final malware payload is extracted from the trojanized software, as with the first victim, but instead of using a Scheduled Task for persistence, the adversary created a new Windows Service to ensure the malware is executed after a reboot.

Windows Service (T1543.003): Use the native “sc” command line tool to create a new service that will executed at reboot.

The final steps again match the techniques used against Victim 1 to conduct reconnaissance efforts against the infected host and the details are sent to the command-and-control server.

Opportunities for Extending the Attack Graph

In addition to these new attack graphs, we have released a new scenario that extends our Log4Shell exploitation coverage with one specifically designed to test exploitation of the Log4j vulnerability in VMware Horizon. This new scenario uses the “Accept-Language” header to target the “/portal/info.jsp” endpoint found on those application servers.

The Adversary Research Team decrypted and extracted the 2nd stage payloads from the trojanized Sysinternals’ tools which are now available as download and save scenarios for customers to test network and endpoint controls against the delivery of the backdoor payloads.

  • Log4Shell (CVE-2021-44228) Signature-Based Web Request – VMWare Horizon
  • Download 2022-04 Trojanized Sysinternals LogonSessions Tool A Decrypted Payload to Memory
  • Save 2022-04 Trojanized Sysinternals LogonSessions Tool A Decrypted Payload to File System
  • Download 2022-04 Trojanized Sysinternals LogonSessions Tool B Decrypted Payload to Memory
  • Save 2022-04 Trojanized Sysinternals LogonSessions Tool B Decrypted Payload to File System

Detection and Mitigation Opportunities

With so many different techniques being utilized by threat actors, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Exploit Public-Facing Applications (T1190)

Log4Shell was first reported in December 2021 and was designated with a 10.0 criticality rating. Patches for the different vulnerabilities found in applications like VMware Horizon have been available shortly after the vulnerability’s discovery. It is crucial that customers identify and patch hosts with this vulnerability and customers should develop robust patch management programs.

1a. Detections

Detecting Public-Facing Exploit attempts for vulnerabilities such as Log4shell can best be accomplished by network monitoring security controls. This is because the vulnerability is carried out by sending maliciously crafted HTTP requests to the vulnerable system which would result in remote code execution. The following indicators would be great pieces of content for Snort rules:

  • “jndi:ldap://”
  • “jndi:rmi://”
  • “jndi:ldaps://”
  • “jndi:dns://”
  • “jndi:iiop://”
  • “jndi:http://”
  • “jndi:nis://”
  • “jndi:nds://”
  • “jndi:corba://”

More information on creating Snort Rules can be found here

1b. Mitigations

Mitres mitigations for Exploit Public-Facing Applications (T1190):

Additionally, ensure that VMWare Horizon Systems are patched for Log4Shell in accordance with VMWare Security Advisories

 

2. Masquerading: Match Legitimate Name or Location (T1036.005)

Malicious actors love to use legitimate filenames to try and blend in with normal everyday activity. Searching for legitimate filenames being executed in untraditional directories can help discovery potential abuse.

2a. Detections

Using an EDR or SIEM product, this activity can be detected by looking for the following commonly copied system32 binaries:

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTATINS (“copy” AND (“svchost.exe” OR “lsass.exe” OR “services.exe” OR “rundll32.exe” OR “csrss.exe” OR “msdtc.exe”) AND “%temp%”)

2b. Mitigations

Mitres mitigations for Masquerading: Match Legitimate Name or Location (T1036.005)

 

3. Scheduled Task (T1053.005) and Windows Service (T1543.003)

The threat actors in this report utilized two different methods to maintain persistence in their victim’s environment. Concerned about their potential loss of access, they are going to take steps to ensure they will remain on the infected host after reboots or partial remediation efforts. Disrupting their ability to maintain their foothold will help prevent their immediate return.

3a. Detections

Behavioral Detections can be utilized in EDR and SIEM products to detect and/or prevent malicious scheduling of tasks and creation of windows services:

Scheduled Task Detection:

Process Name == (cmd.exe OR powershell.exe)

Command Line CONTAINS (“schtasks” AND “/create” AND (“cmd” OR powershell”) AND (“.exe” OR “.bat”) AND “/ru system”)

Windows Service Detection:

Process Name == (cmd.exe or powershell.exe)

Command Line CONTAINS ((‘sc’ or ‘sc.exe’) AND ‘create’ AND ‘binpath=”<path to trusted executable>”’ AND start=”auto”)

3b. Mitigations

Mitres mitigations for Scheduled Tasks (T1053.005)

Mitres mitigations for Windows Service (T1543.003)

Conclusion

In summary, these two attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against an actor who can take multiple paths to achieve their goals. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.