Security News > 2022 > June > Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data

The U.S. Cybersecurity and Infrastructure Security Agency, along with the Coast Guard Cyber Command, on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks.

"Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and servers," the agencies said.

In one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.

The PowerShell scripts, observed in the production environment of a second organization, facilitated lateral movement, enabling the APT actors to implant loader malware containing executables that include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute next-stage binaries.

Ongoing Log4Shell-related activity even after more than six months suggests that the flaw is of high interest to attackers, including state-sponsored advanced persistent threat actors, who have opportunistically targeted unpatched servers to gain an initial foothold for follow-on activity.

"Log4j buried deep into layers and layers of shared third-party code, leading us to the conclusion that we'll see instances of the Log4j vulnerability being exploited in services used by organizations that use a lot of open source."

News URL

https://thehackernews.com/2022/06/log4shell-still-being-exploited-to-hack.html