Threat actors continue to exploit Log4Shell in VMware Horizon Systems

The U.S. CISA and the Coast Guard Cyber Command (CGCYBER) warn of attacks exploiting the Log4Shell flaw in VMware Horizon servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), published a joint advisory to warn of hacking attempts exploiting the Log4Shell flaw in VMware Horizon servers to compromise target networks.

“CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches.” reads the advisory.

The CVE-2021-44228 flaw made the headlines in December, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.

In one attack documented by the government experts, threat actors were able to move laterally inside the network and collect and exfiltrate sensitive data.

This alert includes information about APT actors’ tactics, techniques, and procedures (TTPs), along with indicators of compromise related to the loader malware.

In one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.

Based on information gathered as part of two incident response engagements, the agencies said that the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed “hmsvc.exe” that’s equipped with capabilities to log keystrokes and deploy additional malware.

“The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network.” reads the joint alert.

In an attack that took place at the end of January, threat actors exploited the Log4Shell in an unpatched VMware Horizon server, then used PowerShell scripts to connect a remote server (109.248.150[.]13) via Hypertext Transfer Protocol (HTTP) to retrieve additional PowerShell scripts. In the same period, CISA observed the actors attempt to download and execute a malicious file from 109.248.150[.]13. The activity started from IP address 104.155.149[.]103, which appears to be part of the actors’ C2 infrastructure.

In a distinct attack, APT actors used PowerShell scripts in the production environment to facilitate lateral movement and implant loader malware that allows remotely monitoring a system’s desktop, gaining reverse shell access, exfiltrating data, and uploading and executing next-stage binaries.

The researchers observed a distinct threat actor exploiting the CVE-2022-22954 in VMware Workspace ONE Access and Identity Manager to deliver the Dingo J-spy web shell.

The alert includes Incident Response and Mitigations about the ongoing attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]