Today, CISA issued a warning about threat actors continuing utilising the Log4Shell (CVE-2021-44228) remote code execution vulnerability to attack VMware Horizon and Unified Access Gateway (UAG) servers.

Attackers can migrate laterally across networks until they get access to internal systems that contain sensitive data by using Log4Shell remotely on susceptible servers exposed to local or Internet access.

After it was made public in December 2021, a number of threat actors, including state-sponsored hacking organisations from Turkey, China, Iran, and North Korea as well as various access brokers frequently used by ransomware gangs, started looking for and attacking unpatched computers.

The cybersecurity organisation reported that servers have been compromised utilising Log4Shell exploits to obtain initial access into targeted businesses’ networks today in a joint advisory with the US Coast Guard Cyber Command (CGCYBER).

After breaking into the networks, they introduced multiple malware types that gave them the remote access they required to introduce new payloads and exfiltrate hundreds of gigabytes of private data.

According to the advisory, suspected APT actors implanted loader malware with embedded executables enabling remote command and control (C2) on affected devices as part of this exploitation.

These APT actors “were able to travel laterally inside the network, get access to a disaster recovery network, and capture and exfiltrate sensitive data in one confirmed compromise,” according to the report.

Unpatched VMware systems should be considered compromised

It is recommended that businesses who haven’t patched their VMware servers mark them as compromised and initiate incident response (IR) processes.

The quick isolation of possibly compromised systems, the gathering and analysis of pertinent logs and artefacts, the hiring of outside IR experts (if required), and the reporting of the incident to CISA are all measures that must be taken for an effective response in such a case.

Using the IOCs supplied in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1, CISA and CGCYBER advised all businesses with compromised systems that did not immediately install available patches or workarounds to presume compromise and begin threat hunting efforts.

Administrators “should use the incident response suggestions given in this CSA and submit relevant findings to CISA if potential compromise is found.”

After advising clients to protect Internet-exposed VMware Horizon servers from continuous Log4Shell attacks in January, VMware has issued another advice today.

Since the beginning of the year, Chinese-speaking threat actors have targeted VMware Horizon servers to spread the Night Sky ransomware, the Lazarus North Korean APT to spread information stealers, and the Iranian-aligned hacking organisation TunnelVision to spread backdoors.

You can lessen the attack surface “by hosting essential services on a segregated demilitarised (DMZ) zone,” “deploying web application firewalls (WAFs),” and “ensuring strict network perimeter access controls” until you can install patched builds by updating all impacted VMware Horizon and UAG servers to the most recent versions.