The flaw in the Log4j component, known as “Log4Shell”, should have been fixed by the organizations several months ago. But some systems that remained vulnerable are still being used by attackers to access corporate networks.
The Cybersecurity & Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) have issued a joint advisory asking administrators to fix VMware’s Horizon and Unified Access Gateway (UAG) servers that use vulnerable versions of Log4j . VMware UAG enables employees to securely access Horizon virtual desktops and applications remotely.
Both VMware products were vulnerable to the Log4Shell flaw, identified as CVE-2021-44228, which was disclosed in December. VMware released patches for its devices in December and January.
The flaw was named Log4Shell because it gave attackers a shell to remotely access internet-connected devices that used Log4j.
“CISA and CGCYBER recommend that all organizations with affected systems that did not immediately apply available patches or workarounds assume the compromise and initiate threat hunting activities,” says CISA.
Back to grace
According to CISA, the attackers used the flaw to gain access to a victim’s disaster recovery network and steal information, including administrator logins and passwords.
“Since December 2021, multiple groups of malicious actors have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers,” the agencies warn in their advisory. “As part of this exploitation, suspected APT-type actors implanted loader malware on compromised systems with embedded executables for remote command and control (C2). In a confirmed compromise, these APT actors were able to move laterally inside the network, accessing a disaster recovery network, in order to collect and exfiltrate sensitive data. »
Log4j is maintained by the Apache Software Foundation (ASF), but the open source component is used in a wide range of software on devices from many other vendors, including VMware, Cisco, IBM, and Oracle.
Log4Shell is considered difficult to patch due to the range of end users, device manufacturers, and services affected.
One of the most severe vulnerabilities
Log4Shell is “one of the most serious vulnerabilities I’ve seen in my entire career, if not the most serious,” said CISA director Jen Easterly. In January, the latter indicated that the CISA had not found any significant intrusions through Log4j. However, it said attackers could wait until public concern about Log4Shell subsides before exploiting the affected systems.
Jen Easterly’s concerns appear to be borne out by subsequent investigations by CISA and CGCYBER into victim networks, which show attackers are using the flaw for purposes other than installing “cryptojackers” or cryptomining malware. CPU-intensive.
CGCYBER conducted a mission to a victim organization that was using a vulnerable version of VMware Horizon and discovered that the attackers had installed malware posing as Microsoft’s software for administrators.
VMware Horizon and RPD
At a second victim site investigated by US agencies, attackers first gained access to the VMware Horizon server and then used the Windows Remote Desktop Protocol (RDP) to gain access to hosts on the server. target’s production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. RDP is the primary method used by ransomware attackers to compromise a network.
The attackers on the second victim site also used RDP to access the disaster recovery network.
“The malicious actors obtained credentials for multiple accounts, including administrator accounts. It is not known how these credentials were acquired,” CISA said.
(function(d, s, id) var js, fjs = d.getElementsByTagName(s); if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/fr_FR/all.js#appId=243265768935&xfbml=1"; fjs.parentNode.insertBefore(js, fjs); (document, 'script', 'facebook-jssdk'));