Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Attackers Use Log4Shell to Hack Unpatched VMware Products

Unpatched Systems Should Be Treated as Compromised, say U.S. Cyber Agencies
Attackers Use Log4Shell to Hack Unpatched VMware Products
Source: Jen Easterly's Twitter account

System administrators who haven't yet patched the Log4Shell vulnerability could get a rude awakening in the form of state-sponsored hacking, warns the U.S. government.

See Also: Close the Gapz in Your Security Strategy

A joint advisory from the Cybersecurity and Infrastructure Security Agency and the Coast Guard Cyber Command says advanced persistent threat actors are using the exploit to hack into unpatched VMWare virtual desktop software.

Security researchers set off a firestorm late last year when they discovered a zero-day vulnerability in a popular open-source Java data-logging framework present in hundreds of millions of devices. A patch released by the Apache Software Foundation in December set off a global race between systems administrators and hackers - a sprint that some organizations dangerously have yet to complete (see: Serious Log4j Security Flaw: Race Underway to Discern Scope).

Multiple threat actors intent on taking advantage of this moment are using Log4Shell to penetrate unpatched VMware Horizon Systems and Unified Access Gateway products, the advisory says. Some load malware with embedded executables that establish a remote connection with a command-and-control server. Attackers in one confirmed compromise detailed by the government advisory were able to gain entry into a sensitive network via a vulnerable instance of VMware Horizon and exfiltrate sensitive law enforcement data.

Any VMware system that has not been updated with the Log4Shell patch or that hasn't been modified with a workaround should be treated as already compromised, CISA and the Coast Guard Cyber Command say.

The advisory illustrates an all-too-common trajectory of vulnerabilities, says Kumar Saurabh, chief executive and co-founder of cybersecurity firm LogicHub. Initial discovery leads to a burst of patching that still doesn't reach every affected system, he tells Information Security Media Group. Then the vulnerability drops from view until hackers nudge it back into awareness.

"Vulnerabilities can stay around for a long time and continue to be exploited as long as there are gaps. It's critical that we remain vigilant about any exploit, even if it's been checked off the list as 'done,'" he says.

Victim Analysis 1: Highest Privilege Level

Threat hunting carried out by the U.S. Coast Guard Cyber Command shows that threat actors exploited Log4Shell to gain initial access into an undisclosed victim's network. They uploaded a malware file - "hmsvc.exe." - that masquerades as the Microsoft Windows security utility SysInternals LogonSessions.

An embedded executable inside the malware contains several capabilities, including keystrokes logging and deployment of additional payloads, and provides a graphical user interface to access the victim's Windows desktop system. It can function as a command-and-control tunnelling proxy, allowing a remote operator to move further into a network, the agencies say.

The analysis also found that hmsvc.exe ran as a local system account with the highest possible level of privileges but doesn't explain how attackers elevated their privileges to that point.

Victim Analysis 2: Multiple Attackers

Incident response activity by CISA found that multiple threat groups had compromised the network of an undisclosed organization with access to law enforcement data.

The U.S. government is not disclosing the number of threat actors, and it is unclear if they shared access details or used an access broker. One of the threat actors gained access to the organization's network in January or perhaps earlier.

Once inside the production environment, threat actors used PowerShell scripts to move laterally into other production environment hosts and servers. They leveraged compromised administrator accounts to run a loader malware, which appears to have capabilities similar to malware identified by the Coast Guard. Because multiple actors had access to the network, CISA found several Windows loader malwares with malicious embedded executables, including SvcEdge.exe, odbccads.exe, praiser.exe, fontdrvhosts.exe, and winds.exe.

The C2 capabilities of the embedded executables include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads, the agencies say.

One threat actor had access to the victim's production environment for three weeks and exfiltrated more than 130 gigabytes of data from its security management server. The agency found .rar archiving files "containing sensitive law enforcement investigation data under a known compromised administrator account."

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.