Free Phone Consultation For New Clients | CONTACT NOW

Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.

Log4Shell is a remote logging service (RLS) provider and server logging module included in VMware Horizon View, VMware Horizon Cloud, and VMware AirWatch. Log4Shell has been leveraged by several threat actor groups in the past to explore and exfiltrate sensitive data from organizations’ networks.

In December 2021, FireEye Labs observed new spear phishing and watering hole campaigns exploiting Log4Shell in an attempt to gain access to and steal sensitive data from organizations’ networks. Prior to December 2021, FireEye researchers observed multiple instances of Log4Shell being used as an RLS provider in watering hole and spear phishing campaigns targeting organizations. The following threat actor groups have leveraged Log4Shell for reconnaissance and exfiltration during this timeframe:

APT10

APT17 (aka Cleaver) (1, 2)

Reaper Group (3)

Winnti Group (4, 5)

Source: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?