The activity our teams are observing is similar to observed threat activity detailed by NHS Digital. Detailsīeginning Friday, January 14, 2022, Rapid7 Managed Detection & Response (MDR) began monitoring a sudden increase in VMware Horizon exploitation. We’re sharing our observed activities and indicators of compromise (IOCs) related to this activity. We will update this blog with further information as it becomes available.Īttackers are actively targeting VMware Horizon servers vulnerable to Apache Log4j CVE-2021-44228 (Log4Shell) and related vulnerabilities that were patched in December 2021. Thanks for reading and hopefully this helps someone else out.This post is co-authored by Charlie Stafford, Lead Security Researcher. Verify Composer service is still running. Once Guest OS successfully rebooted check the composer service is running. Power Down the Virtual Machine that has the guest OS of Windows Server 2016 you’re trying to install composer on.Tested Virtual Machine Version 13 and 14.I then created a desktop pool and was able to use linked clones successfully! After rebooting, I turned Secure Boot back on and the composer service was still running. After a successful install, I looked at the “vstor2-ufa.sys” and dug into the digital signature which was signed by “VMware Inc” and was issued by “verisign” which is already trusted. After disabling Secure Boot, I was able to successfully install Composer 7.5. Right away I either knew it was one of two things: Secure boot or VBS (Virtual Based Security). The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.įile Name:\Device\HarddiskVolume4\Program Files (x86)\Common Files\VMware\VMware Universal File Access\vstor2-ufa.sys" “Code integrity determined that the image hash of a file is not valid. I noticed a weird audit failure in security log which was Event ID “5038” and had the following description: So I decided to check the event viewer one more time. Looking through the logs, I found no errors for ODBC or SSLbind settings. I started verifying the SSLbind and ODBC Connection. So after finding this entry, I started looking at VMware Doc’s and KB articles. “CustomAction InstallVstor2Driver.5ACA97E0_7C64_4970_A763_840E81DAAF0B returned actual error code 1603 ” After doing some digging, I found this in the log: So I started digging into the event viewer and vmmsi.log which is located at (c:\users%username%\Appdata\Local\Temp) I started to notice 1603 setup exit code errors. I would run into the composer installer failing and attempting “Roll Back Action”. When I went to install Composer 7.5 (This also happened with 7.4) on a composer standalone configuration. Recently I have been testing moving Horizon View to Server 2016 since we will be migrating soon from 2012R2 to 2016 in production sometime this year. So why is VMware Horizon View Composer Failing to Install ?
0 kommentar(er)
