The US government’s Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a new warning over continuing exploitation of the dangerous CVE-2021-44228 Apache Log4j vulnerability – also known as Log4Shell – on VMware Horizon and Unified Access Gateway (UAG) servers.
In its advisory, the agency said threat actors were, by and large, using Log4Shell as a means to obtain initial access to organisations that did not apply available patches or workarounds when the vulnerability was exposed in December 2021.
Since that time, it said, multiple groups have exploited Log4Shell on unpatched, public-facing Horizon and UAG servers, usually to implant loader malware with embedded executables enabling remote command and control. In at least one known case, an advanced persistent threat (APT) actor was able to move laterally within its victim’s network, gain access to a disaster recovery network, and steal sensitive data.
“If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised,” CISA said.
LogicHub founder and CEO Kumar Saurabh commented: “This vulnerability has followed a typical path – after initial discovery, there was a flurry of patching by security-conscious organisations, and then it dropped out of the news. But there are always servers that get missed, or organisations that don’t keep up with patching.
“Vulnerabilities can stay around for a long time and continue to be exploited as long as there are gaps. It is critical that we remain vigilant about any exploit, even if it has been checked off the list as ‘done’.”
Erich Kron, security awareness advocate at KnowBe4, added: “Patching is a critical part of any organisation’s security plan, and devices connected to the internet while unpatched, especially against a well-known and exploited vulnerability, create a serious risk for the organisations and their customers.
“While patching can be a challenge and can even pose a real risk of an outage if there are problems, any organisations that have internet-facing devices should have a system in place, and testing, to reduce the risk significantly. The guidance issued by CISA and CGCYBER, that unpatched VMware servers vulnerable to the Log4Shell remote code execution vulnerability should be considered already compromised, only goes to underscore the severity of this vulnerability and the capabilities of the actors that are exploiting it.”
This is not the first time that VMware’s Horizon lines have been singled out for particular attention. Back in March, Sophos published intelligence warning that attackers were exploiting Log4Shell to deliver backdoors and profiling scripts to unpatched Horizon servers, laying the groundwork for persistent access and future cyber attacks, including ransomware.
“Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos.
More in-depth technical information on some of the observed Log4Shell incidents to which CISA has rendered assistance, including indicators of compromise (IoCs) and mitigation advice, can be read in full on the agency’s website.