CISA has released a new report that outlines attacks that are still using the Log4Shell vulnerability (CVE-2021-44228) and targeting VMware Horizon and Unified Access Gateway (UAG) servers. Attackers can exploit Log4Shell remotely on vulnerable servers exposed to local or Internet access to move laterally across networks until they gain access to internal systems containing sensitive data. This report outlined attacks where APT actors were remotely accessing unpatched versions of VMware and implanting loader malware on compromised systems with embedded executables enabling remote Command and Control (C2). In one of the confirmed attacks, threat actors were seen moving laterally around the network and stealing sensitive files.
According to the alert, any organization that has not patched their VMware servers should consider those devices to be compromised and initiate their Incident Response (IR) plan. This should include isolating the affected servers and reviewing logs for any malicious activity. Threat actors will often continue utilizing a vulnerability even after patches are released. It is important that any time a patch is released, it is tested and implemented as soon as possible.