US Cert Alert - Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

Log4Shell is a remote code execution (RCE) vulnerability in the Apache Log4j library, impacting numerous products, including certain versions of VMware Horizon and Unified Access Gateway (UAG). Malicious actors exploit this vulnerability to execute arbitrary code, potentially taking full control of affected systems. Despite VMware releasing patches and confirming in-the-wild exploitation, threat actors continue to target unpatched public-facing VMware Horizon and UAG servers.

Exploitation Details

How Log4Shell is Exploited

• Malicious actors send specially crafted requests to vulnerable systems.
• These requests trigger arbitrary code execution, granting attackers full system control.
• Exploitation has been confirmed on unpatched VMware Horizon and UAG servers.
• After initial access, attackers implant malware to establish remote command-and-control (C2) capabilities.

Indicators of Compromise (IOCs)

• Threat actors have been observed connecting to known malicious IP: 104.223.34[.]198.
• The IP address uses a self-signed certificate: CN: WIN-P9NRMH5G6M8.
• In some cases, attackers exfiltrated sensitive data from victim networks.

Incident Analysis

Victim 1: Malware Implantation

• CISA conducted a threat-hunting engagement at an organization (Victim 1) compromised via Log4Shell in VMware Horizon.
• Threat actors uploaded malware named hmsvc.exe, masquerading as legitimate SysInternals LogonSessions software.
• hmsvc.exe Characteristics:
  • Runs with NT AUTHORITY\SYSTEM privileges.
  • Acts as a loader for 658_dump_64.exe, a remote access tool.
  • Provides keylogging, remote payload execution, and GUI access.
  • Creates a scheduled task: C:\Windows\System32\Tasks\Local Session Updater, executing every hour.
  • Drops randomly named .tmp files in C:\Users\AppData\Local\Temp.
  • Attempts communication with 192.95.20[.]8 over port 4443.
  • Uses 128-bit encryption for inbound and outbound communications.

Victim 2: Lateral Movement and Data Exfiltration

• CISA conducted onsite incident response at another organization (Victim 2) compromised by multiple threat actors.
• Key Findings:
  • Initial access gained via unpatched VMware Horizon server in January 2022.
  • Threat actors used PowerShell scripts to download additional payloads from 109.248.150[.]13.
  • Activity originated from 104.155.149[.]103, part of the attacker's C2 infrastructure.
  • Lateral movement via Remote Desktop Protocol (RDP) to:
    • Security management server
    • Certificate server
    • Law enforcement database server
    • Mail relay server
    • Disaster recovery network
  • Compromised administrator accounts used for privilege escalation and further propagation.

Malware Used in Attacks

Loader Malware

The following loader malware samples were found on compromised systems:

Additional Observed Malware

• error_401.jsp (Webshell):
  • Functions as a backdoor providing remote access.
  • Allows file retrieval, uploads, and command execution.
  • Encrypts commands and data using RC4 encryption.
• newdev.dll (Malicious DLL):
  • Ran as a service under a known compromised administrator account.
  • Located at C:\Users\AppData\Roaming\newdev.dll.

Data Exfiltration

• Security management and certificate servers communicated with 92.222.241[.]76 for three weeks.
• 130+ GB of sensitive data was exfiltrated to this foreign IP.
• .rar archives containing law enforcement investigation data were found under a compromised admin account.

Mitigation Recommendations

• Patch VMware Horizon and UAG servers immediately.
• Monitor for unusual network traffic from known IOCs.
• Disable unused PowerShell functionalities to limit execution of malicious scripts.
• Audit administrator account usage for signs of unauthorized access.
• Implement endpoint detection and response (EDR) solutions to monitor suspicious activities.
• Restrict RDP access and require multi-factor authentication (MFA) for all privileged accounts.

Bottom Line

Malicious actors continue to exploit Log4Shell in unpatched VMware Horizon systems. Organizations must proactively update vulnerable systems, monitor for compromise indicators, and implement strict access controls to prevent lateral movement and data exfiltration.