Log4j is a Java-based logging utility used in numerous applications. It is designed to log information, determine how applications are running, and help with debugging errors. Unfortunately, the Log4j software has a severe critical vulnerability, which allows attackers to remotely execute code. This vulnerability, known as Log4Shell (CVE 2021-44228), affects a wide range of technology vendors, making it a major security concern.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security notification advising companies that have not implemented crucial Log4j safety updates and corrections to their VMware Horizon server systems to assume that their networks have already been breached and take the necessary measures.
The log4shell vulnerability
The Log4Shell vulnerability is critical because it can allow attackers to remotely execute code on any device running Log4j version 2. This means that attackers can gain access to sensitive information, disrupt communications, and even take control of the device. Furthermore, because the vulnerability is widespread, millions of computers running online services are impacted by it. As such, it is important for organizations to take action to mitigate the vulnerability as soon as possible.
The Log4Shell vulnerability is closely related to a VMware Horizon servers vulnerability (CVE-2021-45046), as it can be exploited to gain access to unpatched public-facing servers. Attackers have been exploiting this vulnerability since December 2021, with multiple threat actor groups taking advantage of this vulnerability in order to deliver backdoors and cryptocurrency miners. As such, it is important for organizations to ensure that all VMware Horizon servers are properly patched and secured against this vulnerability.
After a Log4Shell exploitation, an attacker can use the access gained from the initial exploitation to move laterally through the network. This can be done by using the access gained from the vulnerability to find additional systems with vulnerable Log4J2 components, and then exploiting those systems in order to gain access to other networks and systems. Additionally, attackers can use the access gained from the initial exploitation to find shared credentials that can be used to access other systems, or to launch brute-force attacks to gain access to other systems. Finally, attackers can use the access gained from the initial exploitation to use other tools, such as PowerShell, to gain access to other systems.
Log4shell distributing cryptominers
The Advisory published by the CISA and the FBI released describes an unnamed Iranian-backed threat group has exploited the Log4Shell vulnerability in an unpatched VMware Horizon server to deploy XMRig cryptomining malware.
The attackers compromised the federal network after hacking into an unpatched VMware Horizon server and then set up reverse proxies on compromised servers to maintain persistence within the FCEB agency’s network. CISA warned in June 2022 that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits. CISA advised organizations with vulnerable VMware servers to assume they were breached and initiate threat-hunting activities.
Cryptominer malware can cause a wide range of problems for the user, including system instability, slow performance, excessive power consumption, and increased electricity bills. Additionally, cryptominer malware can open up a system to further malware attacks, or even data theft. Finally, cryptominer malware can reduce the lifespan of a system by causing overheating and other physical damage.