The flaw in the application-logging component Log4j known as “Log4Shell” should have been patched by organisations months ago, but some systems that haven’t been patched with available updates are still being used by hackers to gain access to business networks.
The Cybersecurity & Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) have released a joint advisory to tell admins to patch VMware’s Horizon and Unified Access Gateway (UAG) servers running vulnerable versions of Log4j. VMware’s UAG give employees remote secure accesses to Horizon virtual desktops and apps.
Both VMware products were vulnerable to the Log4Shell flaw, CVE-2021-44228, which was disclosed by Log4j maintainer the Apache Software Foundation in December. VMware released patches for its devices through December and January.
It was called Log4Shell because it gave attackers a shell to remotely access internet-facing devices that used Log4j.
“CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities,” CISA said.
According to CISA, attackers used the flaw to access the disaster recovery network of a victim and steal information, including admin credentials that allowed for lateral movement.
“Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers,” the agencies warn in the advisory Alert (AA22-174A).
“As part of this exploitation, suspected advanced persistent threat actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data,” the agencies said.
Log4j is maintained by the Apache Software Foundation (ASF) but the open-source component is used in a broad array of software on devices from many other vendors, including VMware, Cisco, IBM and Oracle.
Log4Shell was considered difficult to patch due to the range of end-user organizations, device manufacturers and services affected by it.
CISA’s director Jen Easterly said Log4Shell was “one of the most serious that I’ve seen in my entire career, if not the most serious.” But in January she confirmed CISA hadn’t seen any significant intrusions through Log4j, although she still warned that attackers could be waiting for public alarm over Log4Shell to subside before exploiting affected systems.
Easterly’s warning appears to be justified by subsequent investigations carried out by CISA and CGCYBER at victim networks that show attackers are using the flaw for more than for installing “cryptojackers” or CPU-abusing cryptomining malware.
CGCYBER conducted a threat-hunting engagement at one victim organization that was using a vulnerable version of VMware Horizon and found the attackers installed malware impersonating Microsoft’s software for admins.
At a second victim site investigated by the agencies, hackers first gained access to the VMware Horizon server, and then used the Windows Remote Desktop Protocol (RDP) to gain access to hosts in the target’s production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. RDP is the premier method for ransomware attackers to compromise a network.
The attackers at the second victim site also used RDP to access the disaster recovery network.
“The threat actors gained credentials for multiple accounts, including administrator accounts. It is unknown how these credentials were acquired,” CISA notes.