The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) warned organizations that unpatched VMWare Horizon and Unified Access Gateway (UAG) servers are still being exploited through CVE-2021-44228 – known widely as Log4Shell.
The government agencies said the vulnerability is being used in attacks by a range of threat actors, including state-backed groups.
In an alert published on Thursday, the agencies included detailed rundowns of two different incidents affecting unnamed organizations where CVE-2021-44228 was exploited.
“As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),” the agencies explained.
“In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.”
In the second incident detailed in the alert, CISA said it was forced to conduct an “onsite incident response engagement.”
During the attack, which began in late April and continued through May, CISA said it discovered the organization had been “compromised by multiple threat actor groups.”
One of the groups had been in the organization’s networks since January and may have been inside even earlier, according to CISA, which added that it gained access by exploiting Log4Shell in an unpatched VMware Horizon server.
By January 30, one of the groups began using PowerShell scripts and eventually managed to move laterally to other production environment hosts and servers. The group was able to then use compromised administrator accounts to run a loader malware.
“The loader malware appears to be modified versions of SysInternals LogonSessions, Du, or PsPing software. The embedded executables belong to the same malware family, are similar in design and functionality to 658_dump_64.exe, and provide C2 capabilities to a remote operator,” CISA said.
“These C2 capabilities include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The embedded executables can also function as a proxy.”
CISA found that the threat actors were able to collect and exfiltrate more than 130GB of data from the organization over a three week period.
The cybersecurity agency said it also found .rar files “containing sensitive law enforcement investigation data under a known compromised administrator account.”
Another threat group gained access to the organization’s test and production environments on or around April 13 and used CVE-2022-22954 to implant the Dingo J-spy webshell.
CISA issued an emergency directive in May about CVE-2022-22954 after deploying an incident response team “to a large organization where the threat actors exploited” the recently-discovered remote code execution vulnerability affecting multiple VMware products.
Any organizations that did not immediately apply the patches or workarounds for the vulnerability should “assume compromise and initiate threat hunting activities using the IOCs provided,” according to the advisory.
Despite being discovered in December 2021, CISA included Log4Shell on its list of the top 15 routinely exploited vulnerabilities in 2021.
In recent months, several cybersecurity firms have warned that Log4Shell is still an issue despite the global campaign to patch the vulnerability.
Yotam Perkal, vulnerability researcher at cybersecurity firm Rezilion, released a report in April that found 55% of applications still contained an obsolete version of Log4j in their latest versions.
About 90,000 machines and 68,000 public-facing internet servers were still vulnerable to Log4Shell, according to Perkal, who added that the time to patch the vulnerable containers exceeded 100 days and on average took 80 days.
David Wolpoff, CTO of security company Randori, told The Record that Log4j “was one of the worst vulnerabilities I’ve seen in my career, and no doubt will have long-lasting impacts.”
“The breadth of the issue and the difficulty in determining what was affected means that this will have a long tail to it,” Wolpoff explained.
“Many of the impacted applications were also really critical applications: Vmware Horizon provides virtualized desktops; Jamf and Mobileiron provide device management (sometimes fleet-wide).”