CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell

Security

The US Cybersecurity and Infrastructure Agency (CISA) has warned that attackers are still exploiting the Log4Shell flaw to target VMware’s Horizon and Unified Access Gateway (UAG) servers. The security agency advised IT admins to immediately patch their servers running vulnerable Log4j versions.

The Apache Software Foundation first disclosed the Log4Shell flaw, tracked as CVE-2021-44228, back in December 2021. The vulnerability exists in the popular open-source Apache Log4j framework and allows unauthenticated remote code execution (RCE) and complete server takeover.

VMware released multiple patches to address the security flaw in its products in December and January. However, it turns out that some organizations have yet to patch their systems. CISA says that attackers have recently exploited the Log4Shell vulnerability on unpatched servers to breach the disaster recovery network of an organization and steal sensitive information.

“As part of this exploitation, suspected advanced persistent threat actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data,” CISA explained.

CISA urges organizations to patch their systems

It is important to note that Log4Shell affected a wide range of customers, enterprise services, and device manufacturers. It is one of the reasons that the flaw was a bit challenging to patch for some organizations. While the CISA had not observed any major intrusions via Log4j, the latest incidents indicate that the security vulnerability is still vulnerable to cyber attacks or state-sponsored operations.

According to the CISA, all organizations with unpatched VMware servers should begin incident response (IR) procedures as soon as possible. It is recommended to isolate the potentially affected systems, review logs and artifacts, and report the breach to the security agency. Meanwhile, customers can hire third-party IR experts to mitigate potential risks and threats.