New Attempts to Exploit Log4Shell in VMware Horizon Systems: CISA Warns of Threat Actors Actively Leveraging CVE-2021-44228 Apache Log4j Vulnerability

The notorious CVE-2021-44228 Apache Log4j vulnerability aka Log4Shell is still haunting cyber defenders along with reports about its active in-the-wild exploitations. Starting from December 2021, the nefarious Log4Shell flaw on unpatched VMware Horizon and Unified Access Gateway (UAG) servers has been widely weaponized by threat actors enabling them to gain initial access to targeted systems. According to the joint advisory by CISA and U.S. Coast Guard Cyber Command (CGCYBER), network cyber defenders should beware of a new wave of exploitation attempts leveraging the CVE-2021-44228 flaw in the public-facing servers exposing organizations that haven’t applied relevant patches or workarounds to severe cyber risks. 

Detect New Attempts to Exploit Log4Shell in VMware Horizon Systems

Due to increasing cyber risks, organizations that are leveraging VMware servers vulnerable to the Log4Shell vulnerability are continuously striving to look for new ways to reinforce their cyber resilience. SOC Prime’s Detection as Code platform offers a set of curated Sigma rules crafted by our keen Threat Bounty Program developers, Onur Atali and Emir Erdogan, enabling organizations to detect the latest exploitation attempts of CVE-2021-44228 flaw in VMware Horizon and UAG servers:

Possible Exploit Log4Shell in VMware Horizon Systems by Detection of Associated Malicous PE Files (via file_event)

This Sigma rule can be applied across 21 SIEMs and security analytics platforms, including industry-leading cloud-native solutions. The detection is aligned with the MITRE ATT&CK® framework addressing the Execution tactic with the Command and Scripting Interpreter (T1059) as its primary technique along with the Initial Access tactic with the corresponding Exploit Public-Facing Application (T1190) technique enabling cyber defenders to identify the adversary behavior when they attempt to gain initial access to the compromised network. 

Suspicious Scheduled Task creation after Log4shell Exploitation in VMware Horizon Systems (via process_creation)

The above-referenced Sigma detection is compatible with 23 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform and addresses the Execution ATT&CK tactic represented by the Scheduled Task/Job (T1053) technique to ensure enhanced visibility into relevant threats. Leveraging this Sigma rule, security practitioners can also instantly hunt for threats related to the most recent Log4Shell exploitation attempts with the help of SOC Prime’s Quick Hunt module. 

Powered by the collective cybersecurity expertise of 23,000+ InfoSec practitioners across the globe, SOC Prime’s platform curates a comprehensive collection of unique Sigma rules for CVE-2021-44228 exploit detection. Click the Detect & Hunt button below to instantly drill down to all detection content from SOC Prime’s platform filtered accordingly. 

Alternatively, Threat Hunters, Cyber Threat Intelligence specialists, and SOC Analysts can streamline threat investigation by leveraging SOC Prime’s cyber threats search engine. Click the Explore Threat Context button to gain instant access to the list of detection content related to CVE-2021-44228 and dive into the relevant contextual information available at your fingertips without registration.

Detect & Hunt Explore Threat Context

AA22-174A Cybersecurity and Infrastructure Security Agency (CISA) Warning: New Attacks Analysis

Cyber defenders are voicing concerns about new attempts to exploit CVE-2021-44228 Apache Log4j vulnerability also dubbed Log4Shell that first came into the picture in December 2021, still causing a stir in the cyber threat arena. Even over half a year since its discovery, researchers continue to warn the global cyber defender community of new exploitation attempts of Log4Shell. 

CISA in collaboration with CGCYBER has recently issued an alert warning of new attacks using the Log4Shell exploit. Multiple hacking collectives, including nation-backed APTs, continue to weaponize the flaw affecting public-facing VMware Horizon and UAG systems. Earlier, in February 2021, the Iran-linked TunnelVision APT group was seen exploiting Log4Shell on unpatched VMware Horizon servers along with Fortinet FortiOS flaw and Microsoft Exchange ProxyShell vulnerability.

In these latest attacks, adversaries have been observed dropping loader malware on targeted systems enabling C2 server connection, as well as applying lateral movement and data exfiltration after gaining access to the compromised network.

To help organizations boost their cyber defense potential, the issued advisory highlights the adversary TTPs based on the MITRE ATT&CK framework, provides related IOCs, and covers information on the loader malware. As possible mitigation measures, all organizations with potentially affected VMware Horizon installations and UAG systems are strongly recommended to update the impacted software to the latest versions, which mainly refers to patches and workarounds listed by the related VMware response to Apache Log4j RCE vulnerabilities. 

Timely patching known exploited vulnerabilities and leveraging the industry-best cybersecurity practices enables progressive organizations to strengthen their cyber resilience. Leveraging SOC Prime’s Detection as Code platform for collaborative cyber defense, organizations can significantly boost their detection and response capabilities while driving immediate value from their security investments. Moreover, individual researchers can make a difference by contributing to the global cybersecurity community and sharing their own detection content among industry peers. Join SOC Prime’s crowdsourcing initiative known as Threat Bounty Program to enrich the collective cybersecurity expertise with your own detection algorithms and gain a unique opportunity to monetize your professional skills.