First discovered in December 2021, the Log4Shell vulnerability continues to be exploited by threat actors as highlighted by a joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) on 23 June.
Cyber threat actors have exploited unpatched, public-facing VMware Horizon, a virtual desktop provider, and Unified Access Gateway (UAG) servers to gain initial access to networks, the joint advisory said.
VMware did make fixes available for the vulnerability in December 2021.
Multiple threat actors target victims
The joint statement highlights two incidents where the CISA and CGCYBER were involved in response.
In one of the incidents, more than 130GB of data was sent by the security management server to a foreign IP Address.
The CISA had been conducting an onsite incident response engagement at an organization (Victim 2) where CISA observed bi-directional traffic between the organization and suspected APT IP address 104.223.34[.]198.
During incident response, between late April and May 2022, CISA determined Victim 2 was compromised by multiple threat actor groups.
It is likely that the threat actors gained access to the victim’s production environment in late January, according to the CISA. After gaining access to the VMware Horizon server, they moved laterally via Remote Desktop Protocol (RDP) to other hosts in the production environment including the aforementioned security management server.
For a three-week period, the security management and certificate servers communicated with the foreign IP address.
Trojan detected
The second incident highlighted saw CGCYBER conduct a proactive threat-hunting engagement at an organization compromised by actors exploiting Log4Shell in VMware Horizon.
After obtaining access, threat actors uploaded malware, hmsvc.exe, to a compromised system. During malware installation, connections to IP address 104.223.34[.]198 were observed.
Hmsvc.exe is a trojan that masquerades as a legitimate Microsoft Windows service (SysInternals LogonSessions software) embedded with a malicious packed code. CGCYBER discovered that when running, hmsvc.exe had the highest privilege level on a Windows system but it is unknown how the actor elevated this privilege.
Mitigation
Patching has always been the most important action to take in the fact of the Log4Shell vulnerability and the CISA and CGCYBER reiterate this in their 23 June statement.
Patching should be prioritized according to known exploited vulnerabilities (KEVs) which are listed on the CISA website.
Other actions include ensuring strict network perimeter access controls; not hosting internet-facing services non-essential to business operations; using best practices for identity and access management (IAM); implementing multifactor authentication (MFA); enforcing use of strong passwords; and limiting user access through the principle of least privilege.