Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data

[#if smallImage??]
    [#if smallImage?is_hash]
        [#if smallImage.alt??]
            ${smallImage.alt}
        [/#if]
    [/#if]
[/#if]

Multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and [Unified Access Gateway] servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command-and-control (C2).


Log4Shell, tracked as CVE-2021-44228 (CVSS score: 10.0), is a remote code execution vulnerability affecting the Apache Log4j logging library that's used by a wide range of consumers and enterprise services, websites, applications, and other products.

 

Successful exploitation of the flaw could enable an attacker to send a specially-crafted command to an affected system, enabling the actors to execute malicious code and seize control of the target.

 

Based on information gathered as part of two incident response engagements, the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed "hmsvc.exe" that's equipped with capabilities to log keystrokes and deploy additional malware.

 

The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network.
The PowerShell scripts, observed in the production environment of a second organization, facilitated lateral movement, enabling the APT actors to implant loader malware containing executables that include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute next-stage binaries.

 

Furthermore, the adversarial collective leveraged CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager that came to light in April 2022, to deliver the Dingo J-spy web shell.
Ongoing Log4Shell-related activity even after more than six months suggests that the flaw is of high interest to attackers, including state-sponsored advanced persistent threat (APT) actors, who have opportunistically targeted unpatched servers to gain an initial foothold for follow-on activity.

 

According to cybersecurity company ExtraHop, Log4j vulnerabilities have been subjected to relentless scanning attempts, with financial and healthcare sectors emerging as an outsized market for potential attacks.

 

Log4j is here to stay, we will see attackers leveraging it again and again. Log4j buried deep into layers and layers of shared third-party code, leading us to the conclusion that we'll see instances of the Log4j vulnerability being exploited in services used by organizations that use a lot of open source.