Security News > 2022 > June > CISA: Log4Shell exploits still being used to hack VMware servers
CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway servers using the Log4Shell remote code execution vulnerability.
Attackers can exploit Log4Shell remotely on vulnerable servers exposed to local or Internet access to move laterally across networks until they gain access to internal systems containing sensitive data.
Today, in a joint advisory with the US Coast Guard Cyber Command, the cybersecurity agency said that servers have been compromised using Log4Shell exploits to gain initial access into targeted organizations' networks.
Today's advisory comes after VMware has also urged customers in January to secure Internet-exposed VMware Horizon servers against ongoing Log4Shell attacks.
Since the start of the year, VMware Horizon servers have been targeted by Chinese-speaking threat actors to deploy Night Sky ransomware, the Lazarus North Korean APT to deploy information stealers, and the TunnelVision Iranian-aligned hacking group to deploy backdoors.
Until you can install patched builds by updating all affected VMware Horizon and UAG servers to the latest versions, you can reduce the attack surface "By hosting essential services on a segregated demilitarized zone," deploying web application firewalls, and "Ensuring strict network perimeter access controls."
- Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns (source)
- Lazarus hackers target VMware servers with Log4Shell exploits (source)
- Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data (source)
- April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell (source)
- New IceApple exploit toolset deployed on Microsoft Exchange servers (source)
- Microsoft: Sysrv botnet targets Windows, Linux servers with new exploits (source)
- CISA warns admins to patch actively exploited VMware, Zyxel bugs (source)
- VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972) (source)
- Researchers to release exploit for new VMware auth bypass, patch now (source)
- New ‘Cheers’ Linux ransomware targets VMware ESXi servers (source)