![]() ![]()
![]() In the post $30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers To Profit, security researchers from Chainanalysis report how they managed to seize some of the looted funds with the help of law enforcement and leading organizations in the cryptocurrency industry. The Lazarus Group is suspected to be behind it. The network belongs to the play-to-earn game Axie Infinity. In March 2022, more than $600 million was stolen from the Ronin Network. One of the goals of the Lazarus APT group is to raise foreign currency for North Korea via digital heists. Details can be read in the Talos blog post if interested. The campaign aims to infiltrate organizations around the world to gain long-term access and subsequently exfiltrate data of interest to the adversary nation-state. The targets include utilities from around the world, including those headquartered in the United States, Canada and Japan. The CISA recommendations addressed continued attempts by threat actors to compromise vulnerable VMWare Horizon servers. Cybersecurity and Infrastructure Security Agency's (CISA) June 2022 recommendation. In addition, security researchers have identified overlaps in command and control (C2) and payload-hosting infrastructure between their own findings and the U.S. This campaign has already been partially uncovered by other security firms, but Cisco Talos can reveal more details about the adversary's modus operandi. In addition to these known malware families, the security researchers have also discovered the use of a previously unknown malware implant, which they call "MagicRAT". If you ask a search engine like Shodan for VMware installations accessible from the Internet, you will see quite a lot of red (see the following figure).Ĭorporate networks, the deployment of the VSingle and YamaBot malware implants developed by the group began. After all, I had reported about the vulnerability several times on the blog (see links at the end of the article). The original vector was to exploit the Log4j vulnerability on unprotected VMware Horizon servers. The campaign, conducted by APT Lazarus Group between February and July 2022, exploited vulnerabilities in VMWare Horizon to gain a foothold in targeted organizations. I came across the article Lazarus and the tale of three RATs published a few days ago with details via the following tweet. government as well as many security firms. It is a state-backed hacking group attributed to North Korea by the U.S. 25.2021.Talos, a security firm belonging to Cisco, has managed to track a new campaign by the state-run Lazarus APT group. Huntress says companies with servers already compromised should restore their systems from a backup created prior to Dec. #Vmware horizon hackers servers under exploit updateVMware advised a user of Horizon to update their new versions of the software with updates for the Log4Shell vulnerabilities. Huntress says “that 34% of the 180 horizon servers (62) we analyzed were unpatched and internet-facing when this publication happened.” It also notes that the Shodan search tool lists about 25,000 web-facing Horizon servers. If you are just learning about the mass exploiting of VMware Horizon servers and the installation of backdoor web shells, you should seriously consider the possibility that your server is compromised if it was unpatched and internet-facing. The latter can provide the first access to a network for attackers, the latter can help them maintain this access to more information, compromise additional machines, and possibly evade detection. Others, including the DFIR Report and Red Canary, reported similar activity that day.Įxploiting Log4Shell vulnerabilities to deploy Cobalt Strike makes sense. ![]() Huntress says that an unrelated Managed Antivirus detection (Microsoft Defender) tipped our ThreatOps team to new exploitation of the Log4Shell vulnerability in VMware Horizon on Jan. #Vmware horizon hackers servers under exploit cracked(Among all things) But hackers use cracked versions of the software, too, to carry out attacks. VMware describes Horizon as a tool that enables efficient and secure applications from off-premises to the cloud.Ĭobalt Strike is a command and control framework that security professionals use to measure the organization’s ability to respond to malicious acts on its network. Log4Shell refers to several high-grade vulnerabilities in the Log4j package used by countless Java developers to create logs for their applications. ![]() Huntress reports that attackers have started to exploit the Log4Shell vulnerabilities exposed in December 2021 on servers running VMware Horizon to deploy Cobalt Strike. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |