Log4j is a Java-based logging utility used in numerous applications. It is designed to log information, determine how applications are running, and help with debugging errors. Unfortunately, the Log4j software has a severe critical vulnerability, which allows attackers to remotely execute code. This vulnerability, known as Log4Shell (CVE 2021-44228), affects a wide range of technology vendors, making it a major security concern.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security notification advising companies that have not implemented crucial Log4j safety updates and corrections to their VMware Horizon server systems to assume that their networks have already been breached and take the necessary measures.
The log4shell vulnerability
The Log4Shell vulnerability is critical because it can allow attackers to remotely execute code on any device running Log4j version 2. This means that attackers can gain access to sensitive information, disrupt communications, and even take control of the device. Furthermore, because the vulnerability is widespread, millions of computers running online services are impacted by it. As such, it is important for organizations to take action to mitigate the vulnerability as soon as possible.
The Log4Shell vulnerability is closely related to a VMware Horizon servers vulnerability (CVE-2021-45046), as it can be exploited to gain access to unpatched public-facing servers. Attackers have been exploiting this vulnerability since December 2021, with multiple threat actor groups taking advantage of this vulnerability in order to deliver backdoors and cryptocurrency miners. As such, it is important for organizations to ensure that all VMware Horizon servers are properly patched and secured against this vulnerability.
After a Log4Shell exploitation, an attacker can use the access gained from the initial exploitation to move laterally through the network. This can be done by using the access gained from the vulnerability to find additional systems with vulnerable Log4J2 components, and then exploiting those systems in order to gain access to other networks and systems. Additionally, attackers can use the access gained from the initial exploitation to find shared credentials that can be used to access other systems, or to launch brute-force attacks to gain access to other systems. Finally, attackers can use the access gained from the initial exploitation to use other tools, such as PowerShell, to gain access to other systems.
