"Since April 2022, hacker group Lazarus has been exploiting a Log4j remote code execution vulnerability to collect stolen information on unpatched VMware Horizon products," AhnLab Security Emergency Response Center (ASEC) said in a new report. payload."
The attacks were allegedly first discovered in April, when North Korean hacking group Lazarus used NukeSped to install an additional console-based information-stealing malware that collects information stored on web browsers.
NukeSped is a "backdoor" that can perform various malicious activities based on commands received from domains controlled by remote attackers. It was first linked to North Korean hackers in the summer of 2018, and was later found to be linked to a 2020 campaign orchestrated by hacker group Lazarus.
Some of the key functions of this NukeSped backdoor include: capturing keystrokes and screenshots, accessing the device's webcam, dropping additional payloads such as info-stealers, and more.
I still remember that in December last year, the "crisis" of the Log4j2 vulnerability was suddenly exposed on the Internet, which immediately attracted the attention of global technology giants. Subsequently, in response to the security incident, many technology companies patched the affected systems overnight.
(Related reading: High-risk Bug! Apache Log4j2 Remote Code Execution Vulnerability: Officially being repaired urgently! https://segmentfault.com/a/1190000041096729 )
VMware also released an update to its VMware Horizon server last December that addressed the vulnerability, while the company also released updates for a number of other products that included a vulnerable version of Log4j.
Despite this, Log4j attacks against VMware Horizon servers continue unabated. A growing number of hackers and ransomware groups are exploiting Log4Shell vulnerabilities to deploy ransomware and other malicious packages in the unpatched VMware Horizon virtual desktop platform.
According to Microsoft's confirmation, as early as January 4 this year, a ransomware gang named DEV-0401 exploited the vulnerability (CVE-2021-44228) in VMware Horizon to successfully invade the target system and implant ransomware.
This time, the North Korean hacker group Lazarus attacked VMware Horizon by injecting a backdoor into the Log4j remote code execution vulnerability. CVE-2021-44228 (log4Shell) is the CVE ID that has been tracked and used to identify the vulnerability. It affects multiple products including VMware Horizon.
These hackers use backdoor malware to "send command/line commands" to gather additional information, the researchers said, "and the collected information can later be used in lateral movement attacks."
"Attackers used NukeSped to additionally implant infostealer, and both malware types found were console types, and leaked results were not saved in a separate file. Therefore, it can be assumed that the attacker remotely controlled the GUI screen or pipeline of the user's PC leaked data in the form of", the researchers added.
Reference link: http://en.hackdig.com/05/345441.htm
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。