The IT Nerd

Security researchers at Symantec published a technical report today on a new malware loader tracked as Verblecon, which has escaped detection due to the polymorphic nature of their code. In other words, it changes itself to evade your typical antivirus product. The malware has been observed being used in attacks that install cryptocurrency miners on compromised machines.

Chris Olson, CEO of The Media Trust, had this to say:

 “Polymorphic techniques are just another way to hide malicious intentions, along with checks for security tools and live environments. What’s interesting is this attack provides another example of how the risks of Web 2.0 are being replicated in Web 3.0. Today’s embryonic beginnings of Web 3.0 are eerily reminiscent of the Web as it existed in the 1990s, showing sporadic signs of vulnerability that may well foreshadow a future era of cyber chaos. To prevent that from happening, we must learn from our past mistakes. Today’s digital ecosystem is riddled with threats because Web 2.0 was not designed for cybersecurity from the outset. Untrusted third parties were allowed to proliferate, leading to phishing attacks, malicious advertising, rampant data privacy abuse and other threats that are hard to fix in the present. With Web 3.0, we have a chance to account for potential attack vectors by design – otherwise, the same issues will replicate themselves with greater potency than ever.”

Symantec appears to currently protect their users from this threat. But one wonders how long that will be the case. And I honestly don’t want to take any bets on that.

Last year, I wrote about Log4Shell being actively exploited by threat actors to deliver malware and crypto miners. And that trend appears to be continuing as Sophos researchers warned today that Log4Shell is being exploited to infect VMware Horizon servers with backdoors and crypto miners. According to the report, the Log4Shell attacks target unpatched VMware Horizon with three different backdoors and four cryptocurrency miners.

In late December 2021 and in January 2022, there were multiple reports of active exploitation of the Log4Shell vulnerability in VMware Horizon servers. The attack used the Lightweight Directory Access Protocol resource call of Log4J to retrieve a malicious Java class file that modified existing legitimate Java code, adding a web shell that provided remote access and code execution to the attackers.  SophosLabs has observed these attacks in customer telemetry since the beginning of January.

The attempts to leverage Horizon, which continued and grew in number throughout January, were frequently associated with attempts to deploy cryptocurrency mining malware; others had less clear motives, and may be associated with initial access brokers or ransomware actors. These attacks continue.

So in short, you need to patch all the things to protect yourself… But:

Attempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature. VMware has pushed out patched versions of Horizon as of March 8 2022, but many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. Even if they have, as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways.

That’s not good. I have a comment on this from Saryu Nayyar, CEO and Founder of Gurucul:

“Similar to Cobalt Strike, this is an example of an assessment tool being weaponized by threat actors to breach organizations. It is critical to employ self-training machine learning and behavioral models to identify exploitation of the exposed vulnerability as well as detect the remote surveillance done by the attackers. Current XDR and traditional SIEM solutions, even with claims of User Entity Behavior Analytics rooted in known patterns and rule-based artificial intelligence, are unable to adapt to these methods. Organizations need to invest in solutions that employ transparent non rule-based machine learning models to more rapidly identify new attacks.”

So not only should you patch everything that runs VMware Horizon, but you should also go over your infrastructure with a fine tooth comb because the bad guys may already be in the door.

The war in Ukraine is clearly shifting to cyberspace as news is filtering out that Ukraine’s biggest telco has been hit by a “Powerful” cyberattack:

Ukraine’s state-owned telecommunications company Ukrtelecom experienced a disruption in internet service on Monday after a “powerful” cyberattack, according to Ukrainian government officials and company representatives.

The incident is the latest hacking attack against Ukrainian internet services since Russian military forces invaded in late February.

“Today, the enemy launched a powerful cyberattack against Ukrtelecom’s IT-infrastructure,” said Yurii Shchyhol, chairman of the State Service of Special Communication and Information Protection of Ukraine. “The attack was repelled. And now Ukrtelecom has an ability to begin restoring its services to the clients.”

“Currently, the attack is repulsed, the provision of services is gradually resumed,” said Ukrtelecom spokesperson Mikhail Shuranov.

Toby Lewis, Darktrace’s Global Head of Threat Analysis provided me with this analysis:

In what is being dubbed ‘World War Wired,’ it is no surprise that Russian cyber-attackers have targeted a major Ukrainian internet provider. Yet, while there has been some disruption to the ISP’s traffic, internet connectivity and cellular networks are largely still operable across the country. This attack has not achieved its desired level of disruption.

A lot of the discussion has focused on Russia’s offensive cyber power, but not enough time has been spent talking about Ukraine’s strong defense. Since the infamous 2015 cyber-attack on the Ukrainian power grid, Ukraine has made significant efforts to build up cyber-defenses, particularly around its critical infrastructure, and ensure resilience in future attacks. This strategy should come as no surprise to global cyber-defenders. Some intelligence even indicates alleged covert operations involving United States military personnel and private-sector engineers throughout 2021 to protect Ukraine against expected cyber-intrusions from Russian-sponsored proxies.

With little information available about the apparent DDoS attack on Ukrtelecom, the provider appears to be prioritizing critical infrastructure and managing disruption through their incident response. Like other Ukrainian organizations facing the threat of Russian cyber-aggression since 2015, it has had no choice but to develop effective cyber-defenses.

The era of they hybrid war is upon us. Which means that we will likely see more of this in Ukraine and beyond in the coming days or weeks. Thus it means that we all need to be prepared to deal with these attacks when they arrive.