CISA and U.S. Coast Guard warn outsiders of Log4Shell attacks
- An American company made 0.7nm chips: EUV lithography machines can’t do it
- CVE-2007-4559 Python vulnerability ignored for 15 years puts 350,000 projects at risk of code execution
- RISC-V only takes 12 years to achieve the milestone of 10 billion cores
- 14000 cores + 450W: RTX 4080 graphics card perfectly replaces the RTX 3080
- Big upgrade: The difference between Bluetooth 5.0 and 5.2
- Geeks Disappointed that RTX 4080/4090 doesn’t come with PCIe 5.0
- What are advantages and disadvantages of different load balancing?
CISA and U.S. Coast Guard warn outsiders of Log4Shell attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Coast Guard Cyber Command (CGCYBER) are warning organizations that unpatched VMWare Horizon and Unified Access Gateway (UAG) servers remain vulnerable to the vulnerability numbered CVE-2021-44228 Impact, this vulnerability is widely known as Log4Shell.
Government agencies say the vulnerability is being exploited by a range of threat actors, including state-backed groups.
As part of this exploit, suspected APT actors planted loader malware in compromised systems with embedded executables that could enable remote command and control.
In a confirmed breach, these APT actors were able to move laterally within the network, gain access to the disaster recovery network, and collect and exfiltrate sensitive data. In the second incident detailed in the alert, CISA said it was forced to conduct an on-site incident response activity.
In the attack, which began in late April and continued into May, CISA said it found the group had been compromised by multiple threat actor groups.
According to CISA, one of the groups has been in the group’s network since January, possibly even earlier.
CISA added that it gained access by exploiting a Log4Shell vulnerability in unpatched VMware Horizon servers.
By January 30, one of the groups started using PowerShell scripts and eventually managed to move laterally to other production hosts and servers.
The group was then able to use the compromised administrator account to run a loader malware.
“The loader malware appears to be a modified version of the SysInternals LogonSessions, Du, or PsPing software.
The embedded executable belongs to the same malware family, is similar in design and functionality to 658_dump_64.exe, and provides remote command and control ability.
- DIY a PBX (Phone System) on Raspberry Pi
- How to host multiple websites on Raspberry Pi 3/4?
- A Free Intercom/Paging system with Raspberry pi and old Android phones
- DIY project: How to use Raspberry Pi to build DNS server?
- Raspberry Pi project : How to use Raspberry Pi to build git server?