CISA Warns of Continued Log4Shell Exploits in VMware Horizon Systems

June 27, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) released a joint cybersecurity advisory to warn organizations of continued Log4Shell (CVE-2021-44228) exploits in VMware Horizon Systems.

Experts have observed threat actors, including state-sponsored advanced persistent threat (APT) actors, leveraging Log4Shell in VMware Horizon and Unified Access Gateway (UAG) servers. The exploits have largely impacted organizations that had not previously applied available patches or workarounds.

“As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),” the advisory explained.

“In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.”

Log4Shell was among the top 15 routinely exploited vulnerabilities in 2021, according to a previously released CISA report. Successful exploitation allows a threat actor to cause a system to execute arbitrary code by submitting a specially crafted request. The threat actor can then take full control of the impacted system.

In December 2021, VMware made fixes publicly available. CISA and CGCYBER recommended that all organizations with impacted systems (that did not immediately apply readily available patches or workarounds in December) assume that they have been compromised and activate threat hunting activities.

The advisory urged organizations that discover system compromise to immediately isolate affected systems, collect and review relevant data and logs, and consider engaging a third-party incident response team. In addition, organizations should report incidents to CISA’s 24/7 Operations Center.

Organizations should prioritize patching the vulnerabilities as quickly as possible and remove vulnerable components from the internet during the update process. If immediate patching is not possible, users should adhere to vendor-approved temporary workarounds (KB87073 and KB87092). These workarounds are not permanent fixes, and impacted entities should still update vulnerable components as soon as they can.

The continued exploitations suggest that organizations that fail to immediately patch known vulnerabilities may face unfortunate consequences. The exploits further validate the crucial need to keep all software up-to-date and prioritize patching known vulnerabilities before threat actors can take advantage of them.

This can be especially difficult in a healthcare setting, where many internet-connected medical devices are more than 10 years old and can be difficult to patch due to their portability. Nonetheless, it is in a healthcare organization’s best interests to implement medical device security best practices and keep an inventory of all internet-connected devices.

Organizations should also prioritize enterprise-wide patch management strategies and preventive maintenance in order to prevent data breaches and business disruptions.