
Organizations with public-facing VMware Horizon and Unified Access Gateway (UAG) servers without appropriate Log4Shell mitigations have been attacked from a range of attackers, including state sponsored advanced persistent threat actors.
VMware released patches related to Log4Shell, a vulnerability in a popular Java framework that left countless servers at risk, in December 2021. Yet the hackers continue to exploit the vulnerability more than six months after those patches were made available.
Now comes a new CISA alert tells organizations running servers without Log4Shell updates to just assume they’ve been compromised and proceed with threat hunting and incident response. CISA added that in one instance, APT attackers were able to breach a disaster recovery network, move laterally, and steal sensitive data.
If potential compromise is detected, admins should apply the incident response recommendations included in this CSA and report key findings to CISA
CISA and CGCYBER Statement
Indicators of Compromise
- 104.223.34[.]198
- 92.222.241[.]76
- 109.248.150[.]13
- 104.155.149[.]103
- 192.95.20[.]8:80
- 104.223.34[.]198:443
File path & Scheduled task
- C:\Windows\System32\Tasks\Local Session Update
- C:\Windows\Temp\lnk{4_RANDOM_CHARS}.tmp
- C:\Windows\Temp\lnk<4_RANDOM_NUMS_CHAR S>.tmp