(TLP:WHITE) Threat and Vulnerability Advisory: Important Notification Regarding Compromise of Unpatched VMware Horizon and Unified Access Gateway with Log4Shell Exploit

Attention: Action required if your utility uses affected VMware Horizon® and Unified Access Gateway (UAG) servers in your environment and they are not up-to-date with current vendor patches or recommended workarounds.

Last week, CISA and the United States Coast Guard Cyber Command (CGCYBER) released a joint Cybersecurity Advisory (CSA) – AA22-174A – warning that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches. Additionally, recent research from Cisco Talos describes a month-long AvosLocker ransomware campaign exploiting a VMware ESXi server exposed on the internet over VMWare Horizon Unified Access Gateways (UAG), which was vulnerable to the Log4Shell vulnerability.

Successful exploitation of the vulnerability results in actors’ ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a command-and-control (C2) tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network.

Members running VMware Horizon and UAG systems are strongly recommended to advise relevant system administrators or technology service providers to take appropriate action. Furthermore, if updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, CISA advises to treat all affected VMware systems as compromised and initiate threat hunting activities using the IOCs provided in the CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1. If potential compromise is detected, administrators should apply the incident response recommendations included in the CSA and report key findings to CISA.

WaterISAC Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the online incident reporting form.