APT teams are continuing to target organizations that have not patched the Log4Shell vulnerability in VMware products, installing malware and web shells to maintain persistence, and in some cases gaining access to test networks and disaster recovery systems.
The initial disclosure of the Log4Shell vulnerability in the Apache Log4j tool came in December, and the number of affected vendors is quite large. Many vendors, including VMware released updates within a few days of the disclosure, but because of the scale of the issue and the number of affected vendors, defenders had a a huge amount of work on their hands to identify affected systems, prioritize them, and then roll out patches when they could. APT teams and opportunistic attackers began exploiting the bug, which is a remote code execution flaw, immediately after the public disclosure and exploitation has continued in the months since then.
On Thursday, the Cybersecurity and Infrastructure Security Agency issued a new alert, warning network defenders that high-level attackers are still focusing on upatched VMware systems, specifically VMware Horizon and Unified Access Gateway instances.
“Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data,” the CISA alert says.
“After obtaining access, some actors implanted loader malware on compromised systems with embedded executables enabling remote C2. In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim’s network.”
In the alert, CISA outlines two specific incidents in which organizations were compromised through attacks on Log4Shell (CVE-2022-44228) in VMware products. In one of the intrusions, investigated by the Coast Guard Cyber Command, the attackers exploited a VMware Horizon instance and then deployed a malware loader named hmsvc.exe.
“hmsvc.exe is a Windows loader containing an embedded executable, 658_dump_64.exe. The embedded executable is a remote access tool that provides an array of C2 capabilities, including the ability to log keystrokes, upload and execute additional payloads, and provide graphical user interface (GUI) access over a target Windows system's desktop. The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network,” the advisory says.
In the second incident, the organization had been compromised by several separate APT teams, one of which probably exploited an unpatched Horizon server. That group used PowerShell scripts to download other scripts and files from a remote server.
“After gaining initial access to the VMware Horizon server, the threat actors moved laterally via Remote Desktop Protocol (RDP) to multiple other hosts in the production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. The threat actors also moved laterally via RDP to the organization’s disaster recovery network. The threat actors gained credentials for multiple accounts, including administrator accounts. It is unknown how these credentials were acquired,” the alert says.
“After moving laterally to other production environment hosts and servers, the actors implanted loader malware on compromised servers containing executables enabling remote C2. The threat actors used compromised administrator accounts to run the loader malware. The loader malware appears to be modified versions of SysInternals LogonSessions, Du, or PsPing software.”
VMware made patches available for affected systems in December, and organizations that haven’t done so should apply them as soon as possible.