CISA: Log4Shell exploits still being used to hack VMware servers

CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability.

Attackers can exploit Log4Shell remotely on vulnerable servers exposed to local or Internet access to move laterally across networks until they gain access to internal systems containing sensitive data.

After its disclosure in December 2021, multiple threat actors began scanning for and exploiting unpatched systems, including state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as several access brokers commonly used by ransomware gangs.

Today, in a joint advisory with the US Coast Guard Cyber Command (CGCYBER), the cybersecurity agency said that servers have been compromised using Log4Shell exploits to gain initial access into targeted organizations' networks.

After breaching the networks, they deployed various malware strains providing them with the remote access needed to deploy additional payloads and exfiltrate hundreds of gigabytes of sensitive information.

"As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2)," the advisory revealed.

"In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data."

Unpatched VMware systems should be considered compromised

Organizations that haven't yet patched their VMware servers are advised to tag them as hacked and start incident response (IR) procedures.

The steps required for proper response in such a situation include the immediate isolation of potentially affected systems, collection and review of relevant logs and artifacts, hiring third-party IR experts (if needed), and reporting the incident to CISA.

"CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1," the two agencies said.

"If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA."

Today's advisory comes after VMware has also urged customers in January to secure Internet-exposed VMware Horizon servers against ongoing Log4Shell attacks.

Since the start of the year, VMware Horizon servers have been targeted by Chinese-speaking threat actors to deploy Night Sky ransomware, the Lazarus North Korean APT to deploy information stealers, and the TunnelVision Iranian-aligned hacking group to deploy backdoors.

Until you can install patched builds by updating all affected VMware Horizon and UAG servers to the latest versions, you can reduce the attack surface "by hosting essential services on a segregated demilitarized (DMZ) zone," deploying web application firewalls (WAFs), and "ensuring strict network perimeter access controls."