Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns

If your organization is running VMware Horizon and Unified Access Gateway servers and you haven’t implemented the patches or workarounds to fix/mitigate the Log4Shell vulnerability (CVE-2021-44228) in December 2021, you should threat all those systems as compromised, the Cybersecurity and Infrastructure Security Agency (CISA) has advised on Thursday.

The agency accompanied the warning with detailed technical information and indicators of compromised related to two separate incident response engagements they and the United States Coast Guard Cyber Command (CGCYBER) have conducted in the past months.

The attacks

Since the public revelation of its existence and first detections of active exploitation in December 2021, attackers have been exploiting Log4Shell in a variety of the many vulnerable IT solutions.

According to the CISA, cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit Log4Shell in unpatched, internet-facing VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations.

“As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data,” CISA noted, and detailed both engagements – one of which ended up with them discovering that the victim organization was compromised by multiple threat actor groups.

One of these groups also leveraged CVE-2022-22954, a RCE vulnerability in VMware Workspace ONE Access and Identity Manager, to implant a webshell.

Following both compromises, the attackers exfiltrated sensitive data, some from one of the victims’ production environment, and may have gotten their hands on sensitive law enforcement investigation data.

What should you do?

As mentioned before, CISA advises organizations to assume that all their unpatched VMware Horizon and Unified Access Gateway servers are compromised and go from there.

Before cleaning the servers, the agency advises collecting and reviewing relevant logs, data, and artifacts and engaging incident responders to make sure “the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.”

Once that’s done, they should apply the fixes or workarounds, check that no vulnerabilities remain (with a vendor-supplied script), and commit to pushing out updates and patches for all solutions they use more quickly in the future.

“Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services,” CISA also counsels.

“Use best practices for identity and access management (IAM) by implementing multifactor authentication (MFA), enforcing use of strong passwords, and limiting user access through the principle of least privilege.”

It’s also a good idea to find other instances of vulnerable Log4j versions within your environment and start with remediation efforts. You should particularly check solutions that may make good targets for Log4Shell exploitation.

Log4Shell will probably continue to haunt many organizations for years, but yours doesn’t have to be one of them.

Don't miss