The CISA and the CGCYBER have released a joint Cybersecurity Advisory to warn network defenders against state-sponsored APT actors who continue to take advantage of Log4Shell in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations.
To get initial access to businesses, threat actors continue to take advantage of Log4Shell on VMware Horizon and Unified Access Gateway servers.
How are the systems compromised?
On infected devices, the suspected APT actors install loader malware to enable remote command and control.
These APT attackers moving laterally through the network could get access to a disaster recovery network.
The attackers later gather and exfiltrate private data in one single compromise.
Diving deeper into Log4Shell
Log4Shell is a remote code execution vulnerability affecting a variety of products, such as consumer and enterprise services, websites, applications, and other products, including certain versions of VMware Horizon.
The vulnerability enables malicious actors to submit a request to a vulnerable system, causing it to execute arbitrary code.
The request allows the malicious actors to take full control of the affected system.
After obtaining access, some actors implanted loader malware on compromised systems.
Quick Incident Response
In case there is a system compromise then the administrators strongly recommend:
Immediately isolate the affected systems.
Collect and review relevant logs, data, and artifacts.
Request support from a third-party incident response organization, if needed.
Ensure affected VMware Horizon and UAG systems are updated to the latest version.
Ensure strict network perimeter access controls, and avoid non-essential hosting internet services to business operations.
Implement Web Application Firewalls to protect against web-based exploitation.
Strengthen the identity and access management by implementing multifactor authentication ad enforcing the use of strong passwords.
Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. In case of a potential compromise is detected, administrators should apply the incident response recommendations without fail.