Security News > 2022 > June > Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns
2022-06-24 09:41

If your organization is running VMware Horizon and Unified Access Gateway servers and you haven't implemented the patches or workarounds to fix/mitigate the Log4Shell vulnerability in December 2021, you should threat all those systems as compromised, the Cybersecurity and Infrastructure Security Agency has advised on Thursday.

According to the CISA, cyber threat actors, including state-sponsored advanced persistent threat actors, have continued to exploit Log4Shell in unpatched, internet-facing VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations.

"As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control. In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data," CISA noted, and detailed both engagements - one of which ended up with them discovering that the victim organization was compromised by multiple threat actor groups.

One of these groups also leveraged CVE-2022-22954, a RCE vulnerability in VMware Workspace ONE Access and Identity Manager, to implant a webshell.

CISA advises organizations to assume that all their unpatched VMware Horizon and Unified Access Gateway servers are compromised and go from there.

"Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls in front of public-facing services," CISA also counsels.


News URL

https://www.helpnetsecurity.com/2022/06/24/log4shell-vmware-horizon/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-04-11 CVE-2022-22954 Code Injection vulnerability in VMWare products
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection.
network
low complexity
vmware CWE-94
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591