Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data

The U.S. Cybersecurity and Infrastructure Security Agency
(CISA), along with the Coast Guard Cyber Command (CGCYBER), on
Thursday released a joint advisory warning of continued attempts on
the part of threat actors to exploit the Log4Shell flaw in VMware
Horizon servers to breach target networks.

“Since December 2021, multiple threat actor groups have
exploited Log4Shell on unpatched, public-facing VMware Horizon and
[Unified Access Gateway] servers,” the agencies said^[1]. “As part of this
exploitation, suspected APT actors implanted loader malware on
compromised systems with embedded executables enabling remote
command-and-control (C2).”

In one instance, the adversary is said to have been able to move
laterally inside the victim network, obtain access to a disaster
recovery network, and collect and exfiltrate sensitive law
enforcement data.

Log4Shell^[2], tracked as CVE-2021-44228^[3]
(CVSS score: 10.0), is a remote code execution vulnerability
affecting the Apache Log4j logging library that’s used by a wide
range of consumers and enterprise services, websites, applications,
and other products.

Successful exploitation of the flaw could enable an attacker to
send a specially-crafted command to an affected system, enabling
the actors to execute malicious code and seize control of the
target.

Based on information gathered as part of two incident response
engagements, the agencies said that the attackers weaponized the
exploit to drop rogue payloads, including PowerShell scripts and a
remote access tool dubbed “hmsvc.exe” that’s equipped with
capabilities to log keystrokes and deploy additional malware.

“The malware can function as a C2 tunneling proxy, allowing a
remote operator to pivot to other systems and move further into a
network,” the agencies noted, adding it also offers a “graphical
user interface (GUI) access over a target Windows system’s
desktop.”

The PowerShell scripts, observed in the production environment
of a second organization, facilitated lateral movement, enabling
the APT actors to implant loader malware containing executables
that include the ability to remotely monitor a system’s desktop,
gain reverse shell access, exfiltrate data, and upload and execute
next-stage binaries.

Furthermore, the adversarial collective leveraged CVE-2022-22954^[4], a remote code execution
vulnerability in VMware Workspace ONE Access and Identity Manager
that came to light in April 2022, to implant the Dingo J-spy web
shell.

Ongoing Log4Shell-related activity even after more than six
months suggests that the flaw is of high interest to attackers,
including state-sponsored advanced persistent threat (APT) actors,
who have opportunistically targeted unpatched servers to gain an
initial foothold for follow-on activity.

According to cybersecurity company ExtraHop, Log4j
vulnerabilities have been subjected to relentless scanning
attempts, with financial and healthcare sectors emerging as an
outsized market for potential attacks.

“Log4j is here to stay, we will see attackers leveraging it
again and again,” IBM-owned Randori said^[5]
in an April 2022 report. “Log4j buried deep into layers and layers
of shared third-party code, leading us to the conclusion that we’ll
see instances of the Log4j vulnerability being exploited in
services used by organizations that use a lot of open source.”