+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Log4Shell (still) actively exploited on VMware Systems

The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint security advisory last week to warn of the active exploitation of CVE-2021-44228. This vulnerability is commonly known as Log4j, or Log4Shell because it gives attackers a shell that allows them to remotely access internet facing Log4j devices. 

Log4Shell affects Apache Log4j2 2.0-beta9 through to version 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1). First disclosed in December 2021, this vulnerability was tagged 10/10 critical by NIST, but as the recent security advisory explains, this is continuing to be exploited to provide attackers with initial access to networks. Log4Shell gives attackers the opportunity to implant loader malware onto compromised systems, which contains executables, allowing for a range of remote C2 capabilities.  

VMware strongly urged their customers in January to secure their internet facing VMware Horizon servers as they were aware that some companies had not been patched. This is an ongoing issue, and many organisations have still not yet updated their VMware Horizon or Unified Access Gateway (UAG) devices, and running unpatched systems, exposing them to this threat. CISA have advised that all organisations in this position treat their VMware systems as if they have been compromised and activate an incident response procedure immediately.  

 

Case Studies demonstrate the danger 

Two related case studies of confirmed compromises resulting from this vulnerability being exploited were detailed in last week’s alert. In one instance, the malicious code contained a modified version of a legitimate Microsoft Windows service: SysInternals LogonSessions software. This was found to be running at the highest possible privilege level on a Windows system, but it is currently unknown how the attackers successfully caused this elevation of privilege. The embedded executable in this attack was a remote access tool that allowed for a range of C2 (Command & Control) capabilities. These included the ability to log keystrokes, providing GUI access over a target Window’s system desktop, and attackers could upload and execute additional payloads. Attackers could also use the malware as a C2 tunnelling proxy, which allowed them to mover further into the network and pivot to other systems.   

The Windows loader, hmsvc, first creates a Scheduled Task, which will execute the malware every hour. When this occurs, two *.tmp files are written to the disk location to attempt to connect to the hard-coded C2 server, over a non-standard port, 4443. The embedded executable used in this attack has inbound and outbound communications encrypted with a 128-bit key. The most common port used for outbound connections was 1389, although multiple unique destination addresses were used for Log4Shell call-back. 

In the other case study, the malicious actors were found to be utilising PowerShell scripts through HTTP, triggering the downloading of malicious files. This was performed by the attackers gaining initial access to the VMware Horizon server, however once this attack occurred, they then moved laterally to multiple other hosts in the production environment, via the Remote Desktop Protocol (RDP). This gave the attackers access to multiple secure servers, including a database containing sensitive law enforcement data, and lateral movement to the organisation’s disaster recovery network.  

Credentials for multiple accounts, including administrator accounts, were obtained during this attack, but the method for how these were acquired is currently unknown. Administrator accounts were used to run the loader malware, which included modified version of SysInternals LogonSessions, Du, or PsPing software. The remote attackers could then access C2 capabilities, such as the ability to remotely monitor a system’s desktop, gain reverse shell access, and exfiltrate data. In the same way as with the first case study, attackers could also upload and execute additional payloads, and could use the malware as a proxy.  

 

This is as bad as it gets 

Organisations are advised to treat all unpatched systems as having been compromised.  

CISA and CGCYBER recommend the following steps for how to proceed in this situation: 

  • Immediately isolate affected systems.  
  • Collect and review relevant logs, data, and artifacts. 
  • Consider soliciting support from a third-party incident response organization. They can provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation. 
  • American organisations are advised to report all known incidents to CISA [email protected] or the US Coast Guard National Response Centre [email protected] 
  • UK based organisations should report incidents to the NCSC at https://report.ncsc.gov.uk/  

Any systems that have not been patched since the December and January VMware updates were released should be updated in order to ensure the system is protected. While these updates are being applied, organisations should consider removing any vulnerable components from the internet to limit the scope of traffic. All network perimeter access controls should also be reviewed, to ensure they are as restrictive as possible.  

Some temporary workarounds are also possible if updates cannot be applied immediately. This includes minimising the internet facing attack surface by implementing a segregated demilitarised zone (DMZ) where essential services can be hosted. This should include strict network perimeter access controls, and should not host any internet facing services that are non-essential to business operations. Regularly updated web application firewalls (WAFs) should also be implemented in front of public-facing services to further protect against exploitation. WAFs can block malicious traffic and alert the organisation so further steps can be taken to prevent any other hacking attempts.  

 

How to protect your organisation 

We just don’t know what the next critical vulnerability will be that could leave our networks vulnerable, but we do know what the basic steps are that every organisation can take to improve their baseline level of security: 

The NCSC advice is to update all software and devices promptly, within a few days of the patch release if possible. It is important to prioritise the updates of systems in the same way hackers will prioritise their attacks – if they are targeting the most dangerous critical vulnerabilities, then you should be too. Consider having a system in place to learn about what vulnerabilities affect your networks, and how severe an exploitation could be on your unique network. To ensure timely updates, you could speed the introduction and testing of security patches by configuring test and development systems to apply patches automatically, and then patch production systems as soon as you have confidence in the new software. 

Using the principle of least privilege when setting up user accounts helps to limit access to areas of the network with more sensitive data, so users have just enough access to complete their work, but nothing more. This can provide extra protection for more sensitive files, because when malicious users gain access to a system, their access is limited to the permissions of the account they have compromised. So, using the principle of least privilege helps limit the value of any one compromised account.  

All your system admins should have two accounts, one for every-day activities like reading email and surfing the web, and another only used when ‘admin’ rights are really required. All accounts can be further protected through the use of multi-factor authentication and enforcing strong password policies, which both reduce the risk of the account becoming compromised.  

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top