If your organization runs VMware Horizon and Uniified Access Gateway servers and you have not applied patches or workarounds to fix / mitigate log 4Shell vulnerabilities (CVE-2021-44228) by December 2021, you may be threatened that those systems have been compromised Should, on Thursday, advised the Cybersecurity and Infrastructure Security Agency (CISA).
The agency was wary of detailed technical information and compromise indicators involving responses to two separate incidents conducted by them and the United States Coast Guard Cyber Command (CGCYBER) last month.
The attacks
Since the public announcement of its existence in December 2021 and the first detection of active exploitation, the attackers have been exploiting Log4Shell in various ways. Many weak IT solutions.
According to CISA, cyber-threat actors, including state-sponsored Advanced Persistent Threat (APT) actors, continue to use Log4Shell on unpatched, Internet-oriented VMware Horizon and Unified Access Gateway servers to gain initial access to organizations.
“As part of this exploitation, suspected APT actors have installed loader malware on uncompromising systems, including embedded executables, enabling remote command and control (C2). In a guaranteed compromise, these APT actors were able to go sideways within the network, gain access to a disaster recovery network, and collect and extract sensitive data, “CISA noted, and details of both engagements – one of which ended with them discovering it. The victim organization has been compromised by multiple threat actor groups.
CVE-2022-22954, VMware Workspace One Access and an RCE vulnerability of Identity Manager also used to implant a webshell between these groups.
After both compromises, the attackers retrieved sensitive information, some of the victims from the production environment, and sensitive law enforcement could get their hands on the investigation data.
What should you do?
As mentioned earlier, CISA advises companies to assume that all of their unpatched VMware Horizon and Unified Access Gateway servers have compromised and left.
Before cleaning up the servers, the company recommends collecting and reviewing relevant logs, data and patterns and involving incident responders to ensure “actors have been removed from the network and avoid remaining issues that could enable follow-on exploitation.”
Once this is done, they should apply corrections or solutions, check that no vulnerabilities remain (including the script provided by a vendor), and they are committed to pushing updates and patches for all solutions used more quickly in the future.
“Host essential services in an isolated demilitarized (DMZ) zone, ensure strict network perimeter access control, and minimize the surface of Internet-oriented attacks by implementing regularly updated Web Application Firewalls (WAFs) in front of public-facing services,” CISA also said. Advice.
“Use the best practices for identity and access management (IAM) by strengthening the use of multifactor authentication (MFA), strong passwords and restricting user access through the Minimum Privilege Policy.”
It’s also a good idea to find other examples of weaker Log4j versions in your environment and start remedial efforts. You should specifically examine solutions that can create good targets for Log4Shell exploitation.
Log4Shell will probably continue to haunt many companies over the years, but you don’t have to be one of them.
