A joint security alert by CISA and the FBI has warned organizations that haven’t applied much-needed Log4j security patches and mitigations to VMware Horizon server instances to assume their network has been compromised and act accordingly.
It comes following an investigation into a cyberattack, against what they describe as a ‘federal civilian executive branch’ organization, found that hackers breached the network by exploiting an unpatched Log4j vulnerability in a VMware Horizon server.
The warning comes almost a full year after the Log4j vulnerability was first disclosed and organizations were urged to apply patches or mitigations against a cybersecurity flaw that CISA chief Jen Easterly described as “one of the most serious that I’ve seen in my entire career, if not the most serious”.
The vulnerability (CVE-2021-44228) is in the widely used Java logging library Apache Log4j and, if successfully exploited, the flaw allows attackers to remotely execute code and gain access to machines.
The ubiquitous nature of Apache Log4j means it’s embedded in a vast array of applications, services and enterprise software tools that are written in Java and used by organizations around the world, many of which rushed to apply the fixes.
But despite the urgent messaging around the need to apply critical security updates, there are still organizations that haven’t done so – meaning they’re still vulnerable to any cyber criminals or other malicious hackers looking to exploit Log4j.
Now CISA and the FBI have warned organizations with affected VMware systems that didn’t immediately apply patches or workarounds “to assume compromise and initiate threat hunting activities”.
The cybersecurity advisory (CSA) also warns any organizations that detect a compromise as a result of Log4j to “assume lateral movement” by the attackers, investigate any connected systems and audit accounts with high privilege access.
“All organizations, regardless of identified evidence of compromise, should apply the recommendations in the mitigations section of this CSA to protect against similar malicious cyber activity,” said the alert.
These mitigations include updating affected VMware Horizon and unified access gateway systems and all other software to the latest version, and minimizing the internet-facing attack service by hosting essential services on segregated networks and ensuring strict perimeter access controls are in place, including the use of strong passwords and multi-factor authentication.
It’s also recommended that organizations test their security controls, particularly against the tactics, techniques, and procedures (TTPs) used by Log4j attackers.
CISA said it had found in this instance that attackers breached the network by exploiting the Log4j vulnerability in an unpatched VMware Horizon server. As well as installing cryptomining malware, the attackers were able to move around the network and stole usernames and passwords.
CISA has concluded that, in this instance, the malicious cyber activity abusing Log4jwas conducted by an advanced persistent threat (APT) group working on behalf of the Iranian government.