CISA warning about Log4Shell attacks on VMware Horizon systems (June 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]U.S. Cybersecurity & Infrastructure Agency (CISA) issued a strong warning as of June 24, 2022, that the Log4Shell vulnerability disclosed in December 2021 is being targeted by groups to attack unpatched VMware Horizon systems. In one confirmed case of compromise, these APT actors were able to move laterally in the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.


Advertising

The Log4Shell vulnerability

In December 2021, a critical vulnerability (Log4Shell) in the Java library log4j used for logging was publicly disclosed. This software is integrated in many other products. Thousands of services from Apple, Amazon, Twitter, Minecraft, etc. are vulnerable via this vulnerability. I had reported it within the blog post 0-day CVE-2021-44228 in Java library log4j puts many projects at risk. A critical vulnerability in the JNDI lookup function of the Java library log4j used for logging in the article 0-day CVE-2021-44228 in Java log4j library tangents numerous vendors in early December 2021. The vendor VMware is affected by the Log4Shell vulnerability with its products (see also Attacks on VMWare Horizon servers with log4j vulnerability).

The CISA alert

In Alert AA22-174A, CISA warns that cyber threat actors, including state-sponsored advanced persistent threats (APT) actors, continue to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to gain access to systems that have not applied available patches or workarounds.

Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, publicly accessible VMware Horizon and UAG servers. As part of this exploit, suspected APT actors implanted loader malware with embedded executables on compromised systems enabling remote command and control (C2). In a confirmed compromise, these APT actors were able to move laterally into the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.

CISA urges administrators to update all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied after VMware released updates to Log4Shell in December 2021, all affected VMware systems should be treated as compromised. CISA has published details on the Indicators of Compromise (IoCs) and other details in Alert AA22-174A.

Similar articles
log4j FAQ and Repository
Log4j-News (2021/12/18)
Belgian Ministry of Defense affected by Log4j?
Attacks on VMWare Horizon servers with log4j vulnerability
VMware patches Spring4Shell RCE vulnerability CVE-2022-22965
Deep Panda: Targets VMware Horizon Server via Log4Shell
Log4j security messages (12/28/2021)
VMware products threatened by log4j vulnerability CVE-2021-44228
log4j vulnerability CVE-2021-44228: Patch your Minecraft


Advertising


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *