The Cybersecurity and Infrastructure Security Agency (CISA) and the US Coast Guard Cyber Command (CGCYBER) released a joint advisory, warning that multiple threat actors, including state-sponsored and ransomware groups, are still targeting unpatched Log4Shell vulnerabilities in VMware servers.
The advisory stated that advanced persistent (APT) actors exploited Log4Shell remote code execution vulnerability CVE-2021-44228 in VMware Horizon and unified access gateway (UAG) to move laterally across the network, escalate privileges, deploy malware, and exfiltrate sensitive data. Both Internet-facing and local VMware Horizons and UAG servers were affected.
In December 2021, authorities reported that Turkey, China (Night Sky ransomware), Iran (TunnelVision APT), and North Korea (Lazarus) leveraged the flaw to breach vulnerable systems.
Organizations with unpatched VMware servers are already compromised
CISA and CGCYBER advised organizations with unpatched VMware servers to consider themselves compromised and begin threat hunting.
“If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems…
