The Cybersecurity and Infrastructure Security Agency (CISA) and the US Coast Guard Cyber Command (CGCYBER) released a joint advisory, warning that multiple threat actors, including state-sponsored and ransomware groups, are still targeting unpatched Log4Shell vulnerabilities in VMware servers.
The advisory stated that advanced persistent (APT) actors exploited Log4Shell remote code execution vulnerability CVE-2021-44228 in VMware Horizon and unified access gateway (UAG) to move laterally across the network, escalate privileges, deploy malware, and exfiltrate sensitive data. Both Internet-facing and local VMware Horizons and UAG servers were affected.
In December 2021, authorities reported that Turkey, China (Night Sky ransomware), Iran (TunnelVision APT), and North Korea (Lazarus) leveraged the flaw to breach vulnerable systems.
Organizations with unpatched VMware servers are already compromised
CISA and CGCYBER advised organizations with unpatched VMware servers to consider themselves compromised and begin threat hunting.
“If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised,” CISA warned.
Subsequently, the agencies published a list of indicators of compromise (IoCs) to help organizations identify threats on their network. Additionally, the advisory recommended incident response activities to dislodge threat actors from the network.
These include isolating affected networks, reviewing logs and data, involving third-party incident response organizations, and reporting to CISA.
Additionally, CISA advised organizations to update the affected VMware servers to the latest versions or apply workarounds where updating would break the system.
Organizations should also update all software, reduce internet-facing servers to reduce the attack surface, apply best practices in identity and access management, and install web application firewalls (WAFs).
Since January 2022, VMware has advised organizations to apply the necessary mitigations to prevent Log4Shell attacks leveraging the open-source Apache Log4j vulnerability.
In March 2022, Sophos warned that attackers were exploiting Log4Shell vulnerability on VMware servers to create backdoors for future cyber attacks, including ransomware.
Threat actors exploit Log4Shell vulnerability to deploy malware
The advisory warned that attackers exploited VMware servers with unpatched Log4Shell vulnerabilities to plant loader malware with executables capable of remote command and control (C2).
“In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.”
CISA and CGCYBER discovered that the threat actors uploaded malware hmsvc.exe masquerading as legitimate Sysinternals LogonSessions Windows service. The Malware runs with the highest privilege possible, NT AUTHORITY\SYSTEM, and connects to the threat actor’s IP address.
Additionally, it contained a remote access tool, 658_dump_64.exe, that provided a graphical user interface for monitoring the compromised systems, could log keystrokes, deploy additional payloads, and provide a C2 tunneling proxy for remote operations.
CISA also responded to another victim infested with multiple threat actors who exploited the Log4Shell vulnerability to gain access. The threat actors leveraged Windows Powershell scripts and attempted to download a malicious file from their C2 infrastructure.
They also leveraged the Remote Desktop Protocol (RDP) to propagate laterally and access a security management server, a mail relay server, a certificate server, and a database containing sensitive law enforcement information.
Additionally, they gained access to administrator accounts using undocumented techniques. Subsequently, they deployed a loader malware similar to 658_dump_64.exe, a modified version of Sysinternals LogonSessions, Du, and PsPing. The Malware could monitor the compromised system’s desktop, provide a reverse shell, deploy additional payloads, and exfiltrate data.
One of the threat actors had access to the victim’s test and production environments. The attacker leveraged another remote code execution vulnerability CVE-2022-22954 in VMware Workspace ONE Access to drop Dingo J-spy remote web shell.
Detecting compromised VMware servers on government organizations about six months after the company released updates suggests a bigger problem.
“This vulnerability has followed a typical path – after the initial discovery, there was a flurry of patching by security-conscious organizations, and then it dropped out of the news,” Kumar Saurabh, CEO and co-founder of LogicHub said. “But there are always servers that get missed or organizations that don’t keep up with patching.
“Vulnerabilities can stay around for a long time, and continue to be exploited as long as there are gaps. It’s critical that we remain vigilant about any exploit, even if it’s been checked off the list as ‘done.’”
According to Erich Kron, security awareness advocate at KnowBe4, the joint cybersecurity alert underscores the severity of the Log4Shell vulnerability and the sophistication of the attackers.
“Patching is a critical part of any organization’s security plan, and devices connected to the internet while unpatched, especially against a well-known and exploited vulnerability, creates a serious risk for the organizations and their customers,” Kron said.
“While patching can be a challenge and can even pose a real risk of an outage if there are problems, any organizations that have internet-facing devices should have a system in place, and testing, to reduce the risk significantly.”