[CDP-development] CISA and U.S. Coast Guard Publish Advisory on Cyber Actors Exploiting Log4Shell in VMware Horizon

Masse, Theresa theresa.masse at cisa.dhs.gov
Thu Jun 23 13:06:05 PDT 2022 

FYSA



The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory<https://www.cisa.gov/uscert/ncas/alerts/aa22-174a> (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon(r) and Unified Access Gateway (UAG) servers to obtain initial access to networks.



Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. The advisory includes tactics used by actors, technical details on their tools and malware, and indicators of compromise (IOCs) to help organizations detect possible exploitation on their networks.



Log4Shell is a remote code execution vulnerability (CVE-2021-44228) affecting the Apache(r) Log4j library and a variety of products using Log4j, including certain versions of VMware Horizon and UAG. The vulnerability enables malicious cyber actors to submit a specially crafted request to a vulnerable system that causes the system to execute arbitrary code. The request allows the malicious actor to take full control of the affected system.



CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply updates or workarounds should assume compromise and initiate threat hunting activities using the IOCs and malware analysis provided in this CSA, Malware Analysis Report (MAR) [10382580-1<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-174b>], and [MAR-10382254-1<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-174a>]. If potential compromise is detected, administrators should apply the incident response recommendations included in the CSA and report key findings to CISA.


Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D88701.D6D1CB60]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220623/bd0563c6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220623/bd0563c6/attachment-0001.png>

More information about the CDP-development mailing list