Network defenders warned of malicious cyber hackers continuing to exploit Log4Shell in VMware Horizon systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER) said that cyber hackers, including state-sponsored advanced persistent threat (APT) hackers, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers. Additionally, cybercriminals breached these loopholes to obtain initial access to organizations that did not apply available patches or workarounds.

“Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers,” according to a joint Cybersecurity Advisory issued on Thursday. “As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data,” it added.

Unpatched systems exploited by hackers also surfaced in Forescout’s research this week that disclosed the presence of 56 vulnerabilities caused by insecure-by-design practices called OT:ICEFALL, affecting devices from ten OT (operational technology) vendors. The research revealed that “since the issues uncovered are the result of insecure design practices affecting core system functionality, many of them will remain unpatched in production environments for a significant amount of time.” The OT:ICEFALL issues primarily affect level 1 and 2 devices and could be used in OT-specific attacks targeting those devices.

The CISA-CGCYBER advisory provides the suspected APT hackers’ tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). The data comes from two related incident response engagements and malware analysis of samples discovered on the victims’ networks. 

The advisory said that since December, multiple cyber hacker groups had exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers to obtain initial access to networks. “After obtaining access, some actors implanted loader malware on compromised systems with embedded executables enabling remote C2. These actors are connected to known malicious IP address 104.223.34[.]198. This IP address uses a self-signed certificate CN: WIN-P9NRMH5G6M8. In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim’s network,” it added. 

The advisory disclosed that CGCYBER conducted a proactive threat-hunting engagement at an organization compromised by hackers exploiting Log4Shell in VMware Horizon. After obtaining access, the hackers uploaded malware, hmsvc.exe, to a compromised system. During malware installation, connections to IP address 104.223.34[.]198 were observed. 

“CISA and CGCYBER analyzed a sample of hmsvc.exe from the confirmed compromise. hmsvc.exe masquerades as a legitimate Microsoft Windows service (SysInternals LogonSessions software) and appears to be a modified version of SysInternals LogonSessions software embedded with malicious packed code,” the advisory said. “When discovered, the analyzed sample of hmsvc.exe was running as NT AUTHORITY\SYSTEM, the highest privilege level on a Windows system. It is unknown how the actors elevated privileges,” it added. 

hmsvc.exe is a Windows loader containing an embedded executable, a remote access tool that provides an array of C2 capabilities, including the ability to log keystrokes, upload and execute additional payloads, and provide graphical user interface (GUI) access over a target Windows system’s desktop. Additionally, the malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network.

When first executed, hmsvc.exe creates the Scheduled Task, which executes malware every hour. When executed, two randomly named *.tmp files are written to the disk, and the embedded executable attempts to connect to hard-coded C2 server 192.95.20[.]8 over port 4443, a non-standard port. Additionally, the executable’s inbound and outbound communications are encrypted with a 128-bit key.

The advisory also identified that from late April through May, CISA conducted an onsite incident response engagement at an organization where the security agency observed bi-directional traffic between the organization and suspected APT IP address 104.223.34[.]198. During incident response, CISA determined that multiple threat actor groups compromised the organization. 

The hackers using IP 104.223.34[.]198 gained initial access to the organization’s production environment in late January or earlier. “These actors likely obtained access by exploiting Log4Shell in an unpatched VMware Horizon server. On or around January 30, likely shortly after the threat actors gained access, CISA observed the actors using PowerShell scripts to callout to 109.248.150[.]13 via Hypertext Transfer Protocol (HTTP) to retrieve additional PowerShell scripts,” it added. 

Around the same period, CISA observed the hackers attempt to download and execute a malicious file from 109.248.150[.]13. The activity started from IP address 104.155.149[.]103, which appears to be part of the hackers’ C2  infrastructure. 

After gaining initial access to the VMware Horizon server, the threat hackers moved laterally via Remote Desktop Protocol (RDP) to multiple other hosts in the production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. 

The hackers also moved laterally using RDP to the organization’s disaster recovery network. They also gained credentials for multiple accounts, including administrator accounts, though it is unknown how these credentials were acquired. 

“After moving laterally to other production environment hosts and servers, the actors implanted loader malware on compromised servers containing executables enabling remote C2,” the advisory said. The hackers used compromised administrator accounts to run the loader malware. It added that the loader malware appears to be modified versions of SysInternals LogonSessions, Du, or PsPing software. 

The advisory said that the embedded executables belong to the same malware family, are similar in design and functionality to 658_dump_64.exe, and provide C2 capabilities to a remote operator. “These C2 capabilities include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The embedded executables can also function as a proxy,” it added.

Hackers collected and likely exfiltrated data from the organization’s production environment. “For a three-week period, the security management and certificate servers communicated with the foreign IP address 92.222.241[.]76. During this same period, the security management server sent more than 130 gigabytes (GB) of data to the foreign IP address 92.222.241[.]76, indicating the actors likely exfiltrated data from the production environment. CISA also found .rar files containing sensitive law enforcement investigation data under a known compromised administrator account,” the advisory added.

Organizations with affected systems have been called upon to install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell last December, treat all affected VMware systems as compromised. 

Additionally, network defenders must minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.

In March, a MITRE report used the phrase ‘endemic vulnerability’ when referencing the Log4j vulnerabilities, given the number of impacted products and challenges in applying fixes. One factor that contributed to the magnitude of the exploit’s impact was the degree to which the Log4j libraries had been incorporated into numerous software products and projects, thus meaning that the vulnerability will remain in the global software ecosystem for a long time.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.