As a continuation to our previously published blog post on a VMWare Horizon being targeted through the log4j vulnerability, we now identified Unifi Network applications being targeted in a similar way on a number of occasions. Based on prevention logs from Morphisec, the first appearance of successful exploitation occurred on January 20, 2022.
The uniqueness of the attack is that the C2 is correlated to a previous SolarWind attack as reported by CrowdStrike.
Not surprisingly, a POC for the exploitation of Unifi Network was released a month prior (24th of December), and we, therefore, expected to see this type of targeted exploitation in the wild.
The unifi vulnerability was first posted by @sprocket_ed.
Log4j Vulnerability (Log4Shell) on Ubiquiti UniFi
Ubiquiti normal execution command line:
(We recommend identifying powershell execution as a child process to this command-line execution statement)
We found that the C2 used in the attack was previously noted as part of the SolarWind supply chain attack, Cobalt beacon C2, and was attributed to TA505 aka GRACEFUL