![]() ![]() “Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.”Ĭobalt Strike is a legitimate tool for penetration testing that is commercially available, but cyber criminals have increasingly begun to leverage the tool, according to a recent report from Proofpoint. In response to the vulnerability, Microsoft said that security teams should focus on more than just attack prevention-and should also be looking for indicators of an exploit using a behavior-based detection approach.īecause the Log4Shell vulnerability is so broad, and deploying mitigations takes time in large environments, “we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention,” the company said in its post. The Swiss Government Computer Emergency Response Team posted that it has observed use of Mirai and Muhstik (also known as Tsunami) to deploy DDoS attacks, as well as deployment of Kinsing malware for crypto mining. VentureBeat has reached out to Microsoft for any updated information.Īccording to a post from Netlab 360, attackers have exploited Log4Shell to deploy malware including Mirai and Muhstik-two Linux botnets used for crypto mining and distributed denial of service (DDoS) attacks. Microsoft did not provide further details on any of these attacks. ![]() In particular, “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said. So quick fix is going back to IMC for management or get the systems updated and use latest appliance.In its post Saturday, Microsoft said that “at the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed.” It would be up to you on what to do, but I wouldn't be surprised if call home isn't working due to old SP. Need to do SQL application-aware backups and clones (and replication) which I know how to do with Netapp and Pure but not sure what currently is offered by HP, so having to look into that, too. I have quotes from the first 2 and looking to HP next for theirs. I think the plan is to migrate to NTAP or Pure or Nimble or Primera. These are EOL soon (November?) and our support ends sooner than that. I didn't think the appliance would work at all with this 3PAR OS, so that is something at least. so that would require 3PAR OS upgrade (which probably isn't a bad idea if you intend to run these arrays going forward). 3.6 is the latest to officially support 3.2.1 and you want the latest 3.8.x version to be unaffected by the latest log4j issue. ![]() What is your end game here? I would either jump back to IMC (which works fine with 3.2.1 and 7k) or deploy the SSMC appliance which has been the going-forward platform for 3 years or so. Still, if there's a way to tamp down on any SSMC logging, eg keep it at 3 months of data max, I'd be interested in knowing how. I thought SSMC was the only app installed here but it looks like HPOneView was also installed and has been logging data since 2015. ![]()
0 Comments
Leave a Reply. |