Update 1 to CISA Alert AA22-174A – Malicious cyber actors continue to exploit Log4Shell in VMware Horizon systems.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Seven Four Alpha.

Update released: July eighteenth, twenty twenty two.

CISA has updated this alert with an additional Malware Analysis Report that provides indicators of compromise. This report is linked in the show notes.

The following is the original text of the alert released on June twenty third, twenty twenty two.

Cyber threat actors, including state-sponsored APT actors, have continued to exploit the Log4Shell vulnerability in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds.

Log4Shell is a remote code execution vulnerability affecting the Apache Log4j library and a variety of products such as consumer and enterprise services, websites, applications, certain versions of VMware Horizon, and Unified Access Gateway servers. The vulnerability enables malicious cyber actors to submit a specially crafted request to a vulnerable system. The request allows the malicious actors to take full control of the affected system.

VMware made fixes available in December 2021. Since then, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control. In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.

The alert documentation linked in the show notes provides the suspected APT actor’s tactics, techniques, and procedures, information on the loader malware, indicators of compromise, mitigation actions, and incident response recommendations. The information is derived from two related incident response engagements and malware analysis of samples discovered on victims’ networks.

CISA and US Coast Guard Cyber Command recommend all organizations with affected systems that did not apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs and the two malware analysis reports provided in the alert resources. If potential compromise is detected, administrators should apply the incident response recommendations included in the alert documentation and report key findings to CISA.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.