CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG

The US Cybersecurity and Infrastructure Security Agency (CISA) has been investigating attacks exploiting the Log4Shell vulnerability in third-party products like VMware Horizon and Unified Access Gateway (UAG). The agency published indicators of compromise (IOCs) collected from incidents it investigated as recently as June, highlighting the long-lasting impact of this vulnerability that’s over six months old.

“From May through June 2022, CISA provided remote incident support at an organization where CISA observed suspected Log4Shell PowerShell downloads,” the agency said in a report this week. “During remote support, CISA confirmed the organization was compromised by malicious cyber actors who exploited Log4Shell in a VMware Horizon server that did not have patches or workarounds applied.”

The long tail of Log4Shell

The Log4Shell vulnerability, tracked as CVE-2021-44228, is a critical remote code execution flaw in a widely used Java logging library called Log4j. The vulnerability was originally reported in late November as a zero-day and was patched in Log4j on December 6, triggering an industry-wide patch and mitigation response.

However, security experts warned at the time that the issue will likely have a long-term impact since Log4j was used in millions of Java-based corporate applications and third-party products. This made it very hard and time consuming for security teams to discover, track and patch all instances of the flaw on their networks, especially since they depended on fixes being released by a wide range of software vendors.

In May, software supply chain security firm Sonatype, which runs and supervises the Central Repository of Java components, warned that 38% of Log4j downloads since December continued to be for vulnerable versions of the library and that rate continued at one out of three downloads per day.

This suggests that many application developers did not rush to update the dependencies in their applications to include patched versions of Log4j, but it could also be a symptom of the complex chain of dependencies common in the open-source ecosystem that goes many levels deep. Apps might not have Log4j as a direct dependency, but instead could depend on other packages that in turn depend on other packages, one of which could include Log4j without the developer of the main application even realizing if they don’t use software composition monitoring solutions.

This is not the case for the attacks reported by CISA, though, because VMware released patched versions, as well as manual workarounds for both Horizon and UAG since December, so it was up to affected organizations to deploy them in a timely manner.

PowerShell downloaders

In the attacks investigated by CISA, hackers exploited the Log4Shell vulnerability to deploy PowerShell scripts that acted as Trojan downloaders. The use of PowerShell as a malware delivery mechanism is very common among threat actors. That’s because PowerShell is a powerful scripting language and technology built into Windows by default to automate system administration tasks. Blocking PowerShell entirely across an organization’s systems is not a viable approach and using aggressive PowerShell detection rules can generate many false positives.

Along with the PowerShell scripts, CISA also recovered two XML files from the attacks that were used to set up scheduled tasks for persistence purposes on the compromised systems. An executable file written in Python was also found that was used to scan local IP addresses for other systems and open ports. In addition, the PowerShell scripts also deployed Nmap, an open-source network scanner, highlighting that one of the goals of the attackers was network ​​​​reconnaissance and lateral movement.

CISA published detailed descriptions of the files and artifacts used in the attacks, along with file hashes and other details that could be used by security teams to create detections in their own organizations.