VMware — CraftedSignal Threat Feed

VMware Tanzu Spring Boot Multiple Vulnerabilities

hello@craftedsignal.io — Tue, 28 Apr 2026 08:31:28 +0000

Multiple vulnerabilities exist in VMware Tanzu Spring Boot that could be exploited by malicious actors. While the specific CVEs and technical details of these vulnerabilities are not disclosed, the potential impact is significant. An attacker could leverage these vulnerabilities to achieve arbitrary code execution, circumvent security controls, manipulate or disclose confidential data, and even hijack authenticated user sessions. Given the widespread use of Spring Boot in enterprise applications, these vulnerabilities pose a substantial risk to organizations utilizing this framework. Defenders should prioritize identifying and mitigating these vulnerabilities to prevent potential exploitation.

Attack Chain

An attacker identifies a vulnerable endpoint in a Tanzu Spring Boot application.
The attacker crafts a malicious request designed to exploit a vulnerability, such as a deserialization flaw or an SQL injection point.
The malicious request bypasses input validation or authentication mechanisms due to the vulnerability.
The exploited vulnerability allows the attacker to execute arbitrary code within the context of the Spring Boot application.
The attacker leverages the code execution to gain access to sensitive data, such as database credentials or API keys.
The attacker uses the compromised credentials to access other systems or resources within the network.
The attacker escalates privileges within the Spring Boot application or the underlying operating system.
The attacker establishes persistence and maintains long-term access to the compromised system, potentially leading to data exfiltration or further malicious activities.

Impact

Successful exploitation of these vulnerabilities could lead to a wide range of damaging outcomes. Attackers could gain unauthorized access to sensitive data, disrupt critical business processes, or deploy ransomware. The lack of specific details regarding the number of victims and targeted sectors makes it difficult to quantify the precise impact, but the potential for widespread disruption is considerable, especially given the prevalence of Spring Boot applications. The ability to execute arbitrary code provides attackers with significant control over affected systems.

Recommendation

Investigate Tanzu Spring Boot applications for unusual process execution using the rule “Detect Suspicious Spring Boot Process Execution”.
Monitor web server logs for suspicious requests that could be indicative of vulnerability exploitation with the rule “Detect Malicious Request to Spring Boot Application”.
Implement strict input validation and output encoding measures in Tanzu Spring Boot applications to prevent common web application vulnerabilities.

Persistence via Windows Installer (Msiexec)

hello@craftedsignal.io — Thu, 05 Sep 2024 14:17:05 +0000

The Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.

Attack Chain

An attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.
The attacker leverages msiexec.exe to create a new scheduled task using the schtasks.exe command, setting it to execute a malicious script or binary.
Alternatively, the attacker uses msiexec.exe in conjunction with reg.exe or PowerShell to modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run, adding a pointer to their malicious executable.
The created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.
The system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.
The malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.
The attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.

Impact

Successful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.

Recommendation

Monitor process creation events for msiexec.exe spawning schtasks.exe or reg.exe to create scheduled tasks or modify registry run keys (reference: rules in this brief).
Implement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.
Review and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.
Enable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == “file” and file.path … and event.category == “registry” and registry.path … in the rule query).
Implement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).

Unusual Process Loading Mozilla NSS/Mozglue Module

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

This brief focuses on detecting anomalous loading of Mozilla NSS (Network Security Services) and Mozglue libraries (specifically mozglue.dll and nss3.dll) by processes other than known Mozilla applications like Firefox and Thunderbird. The technique leverages Windows Sysmon Event ID 7 (ImageLoaded) to identify such instances. This activity is flagged as suspicious because legitimate software rarely loads these libraries outside of the intended Mozilla ecosystem. Attackers may attempt to load these libraries into other processes to perform malicious actions such as code injection, data exfiltration, or credential theft, while masquerading as legitimate software. This detection is crucial for identifying potentially compromised systems and preventing further damage.

Attack Chain

Initial Access: An attacker gains initial access to the system, possibly through phishing, exploiting a vulnerability, or using stolen credentials.
Persistence: The attacker establishes persistence on the system, ensuring continued access even after a reboot. This may involve creating scheduled tasks or modifying registry keys.
Privilege Escalation: The attacker elevates privileges to gain higher-level access to the system. This can be achieved through exploiting kernel vulnerabilities or misconfigured services.
Malware Installation: The attacker deploys malware or malicious tools onto the compromised system. This may involve downloading executables or scripts from a remote server.
Code Injection: The attacker injects malicious code into a legitimate process. This is often done to evade detection and execute malicious commands in a trusted context. In this scenario, the injected code might leverage Mozilla NSS/Mozglue libraries.
Credential Theft: The injected code attempts to steal credentials stored on the system. This may involve accessing LSASS memory or extracting credentials from web browsers.
Data Exfiltration: The attacker exfiltrates sensitive data from the compromised system. This may involve compressing data and transferring it to a remote server using protocols like HTTP or FTP.
Lateral Movement/Impact: Using stolen credentials or the compromised system as a pivot, the attacker moves laterally within the network to compromise additional systems, or achieves their ultimate objective, such as ransomware deployment or intellectual property theft.

Impact

Successful exploitation and anomalous loading of Mozilla libraries can lead to significant damage, including data breaches, financial loss, and reputational damage. Stolen credentials can be used to access sensitive systems and data, while injected code can disrupt critical business processes. The scope can range from individual workstations to entire networks, depending on the attacker’s objectives and level of access. The detection helps prevent credential theft, data exfiltration, and lateral movement.

Recommendation

Enable Sysmon Event ID 7 (ImageLoaded) logging on all Windows endpoints to ensure visibility into loaded modules (reference: data_source).
Deploy the Sigma rule Unusual Mozilla NSS/Mozglue Module Load by Non-Mozilla Process to your SIEM and tune the process exceptions for your environment (reference: rules).
Investigate any instances where Mozilla NSS/Mozglue libraries are loaded by processes not explicitly allowed in the exception list to determine if malicious activity is occurring (reference: search).
Correlate detections of unusual Mozilla library loading with other suspicious activity, such as network connections to known malicious domains or the execution of unusual processes, to identify potential compromises (reference: tags).
Review and update the list of legitimate applications that may load Mozilla NSS/Mozglue libraries in your environment to reduce false positives (reference: known_false_positives).

Kerberos Traffic from Unusual Process

hello@craftedsignal.io — Wed, 03 Jan 2024 14:00:00 +0000

This detection identifies unusual processes initiating network connections to the standard Kerberos port (88) on Windows systems. Typically, the lsass.exe process handles Kerberos traffic on domain-joined hosts. The rule aims to detect processes other than lsass.exe communicating with the Kerberos port, which could indicate malicious activity such as Kerberoasting (T1558.003) or Pass-the-Ticket (T1550.003). The detection is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. This can help security teams identify potential credential access attempts and lateral movement within the network.

Attack Chain

An attacker compromises a user account or system within the domain.
The attacker executes a malicious binary or script (e.g., PowerShell) on the compromised system.
The malicious process attempts to request Kerberos service tickets (TGS) for various services within the domain. This is done by connecting to the Kerberos port (88) on a domain controller.
The attacker uses tools like Rubeus or Kerberoast.ps1 to enumerate and request TGS tickets.
The unusual process (not lsass.exe) sends Kerberos traffic to the domain controller.
The attacker extracts the Kerberos tickets from memory or network traffic.
The attacker cracks the offline TGS tickets to obtain service account passwords (Kerberoasting).
The attacker uses the compromised service account credentials to move laterally within the network or access sensitive data.

Impact

A successful Kerberoasting or Pass-the-Ticket attack can lead to unauthorized access to sensitive resources and lateral movement within the network. Attackers can compromise service accounts with elevated privileges, potentially leading to domain-wide compromise. Detection of this behavior can prevent attackers from gaining access to critical assets. While the exact number of victims and sectors targeted are unknown, this technique is widely used by various threat actors in targeted attacks.

Recommendation

Deploy the “Kerberos Traffic from Unusual Process” Sigma rule to your SIEM and tune for your environment. Enable network connection logging to capture the necessary traffic.
Investigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious binaries.
Review event ID 4769 for suspicious ticket requests as mentioned in the rule’s documentation.
Examine host services for suspicious entries as outlined in the original Elastic detection rule using Osquery.
Monitor for processes connecting to port 88, filtering out legitimate Kerberos clients like lsass.exe, using the “Detect Kerberos Traffic from Non-Standard Process” Sigma rule.
Investigate processes identified by the rule and compare them to the list of legitimate processes to identify unauthorized connections to the Kerberos port.

Potential Persistence via Time Provider Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The Windows Time service (W32Time) synchronizes the system clock with other devices on the network, using time providers implemented as DLL files located in the System32 folder. This architecture can be abused by adversaries to establish persistence by registering and enabling a malicious DLL as a time provider. The W32Time service starts during Windows startup and loads w32time.dll. This technique involves modifying specific registry keys associated with the Time Providers, enabling a malicious DLL to be loaded and executed every time the service starts. This can allow an attacker to maintain persistent access to the system, even after a reboot. The Elastic Security team has identified this persistence method and provided a detection rule to identify such modifications.

Attack Chain

The attacker gains initial access to the system through an exploit, phishing, or other means.
The attacker obtains administrator privileges on the target system.
The attacker crafts or deploys a malicious DLL to be used as a time provider.
The attacker modifies the registry to register the malicious DLL as a valid time provider. The registry keys under HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ are targeted.
The attacker enables the newly registered time provider.
The W32Time service is restarted, or the system is rebooted.
The W32Time service loads the malicious DLL, executing the attacker’s code.
The attacker maintains persistent access to the compromised system.

Impact

Successful exploitation allows the attacker to achieve persistence on the compromised system. The attacker can execute arbitrary code every time the W32Time service starts. This may lead to further malicious activities, such as data theft, lateral movement, or the installation of additional malware. The impact is significant, as the attacker can maintain long-term control over the system.

Recommendation

Deploy the Sigma rule Time Provider DLL Registration to detect the registration of new DLL files as Time Providers in the registry.
Enable Sysmon registry event logging to capture registry modifications, as this is a requirement for the provided Sigma rules.
Investigate any registry changes to the HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ path, especially those adding new DLLs, using the provided Sigma rule.
Monitor process execution for msiexec.exe installing DLLs in the Program Files\VMware\VMware Tools directory, which could indicate legitimate activity, but should still be validated.
Regularly audit and validate the list of registered Time Providers on critical systems.

LSASS Loading Suspicious DLL

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.

Attack Chain

An attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).
The attacker elevates privileges to gain sufficient access to interact with the LSASS process.
The attacker drops a malicious DLL onto the system, often disguised as a legitimate file.
The attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.
LSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.
The malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.
The attacker uses the stolen credentials for lateral movement to other systems on the network.
The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

Successful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.

Recommendation

Deploy the LSASS Loading Untrusted DLL Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.
Investigate any alerts generated by the Sigma rule and review the loaded DLL’s code signature and hash.
Block the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.
Implement application whitelisting to restrict which DLLs can be loaded into LSASS.
Enable Sysmon process creation and image load logging to provide the necessary data for detection.