AA22-174A Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
Indicators
This STIX file provides indicators of compromise (IOCs) associated with malicious activity reported in CISA Cybersecurity Advisory (CSA), AA22-174A, pertaining to exploitation of Log4Shell in unpatched VMware Horizon and Unified Access Gateway systems.
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware HorizonĀ® and Unified Access Gateway (UAG) servers to obtain initial access to networks, then implant loader malware on compromised systems and enable remote command-and-control (C2) access.
Loaders are often used as tools to distribute other malware and allow threat actors to steal credit card details, passwords and other sensitive information, encrypt files, mine cryptocurrency, etc. and frequently act as a precursor for ransomware attacks.
For more information about this activity, to include detection and mitigation recommendations, please see Advisory "A22-174A Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems."
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2022-06-23T00:00:00Z
Malicious IPv4 Indicator
IP Watchlist
104.155.149.103
Malicious IPv4 Indicator
IP Watchlist
185.136.163.104
Malicious IPv4 Indicator
IP Watchlist
134.119.177.107
Malicious IPv4 Indicator
IP Watchlist
109.248.150.13
Malicious IPv4 Indicator
IP Watchlist
155.94.211.207
Malicious IPv4 Indicator
IP Watchlist
162.245.190.203
Malicious IPv4 Indicator
IP Watchlist
92.222.241.76
Malicious IPv4 Indicator
IP Watchlist
192.95.20.8
Malicious IPv4 Indicator
IP Watchlist
104.223.34.198
T1190 - Exploit Public-Facing Application - Initial Access
T1053.005 - Scheduled Task/Job: Scheduled Task - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell - Execution
T1505.003 - Server Software Component: Web Shell - Persistence
T1036.004 - Masquerading: Masquerade Task or Service - Defense Evasion
T1021.001 - Remote Services: Remote Desktop Protocol - Lateral Movement
T1056.001 - Input Capture: Keylogging - Collection
T1560.001 - Archive Collected Data: Archive via Utility - Collection
T1071.001 - Application Layer Protocol: Web Protocols - Command and Control
T1090 - Proxy - Command and Control
T1105 - Remote File Copy - Command and Control
T1571 - Non-Standard Port - Command and Control
T1573.001 - Encrypted Channel: Symmetric Cryptography - Command and Control