

In one instance, the malicious code contained a modified version of a legitimate Microsoft Windows service: SysInternals LogonSessions software. Two related case studies of confirmed compromises resulting from this vulnerability being exploited were detailed in last week’s alert. CISA have advised that all organisations in this position treat their VMware systems as if they have been compromised and activate an incident response procedure immediately. This is an ongoing issue, and many organisations have still not yet updated their VMware Horizon or Unified Access Gateway (UAG) devices, and running unpatched systems, exposing them to this threat. VMware strongly urged their customers in January to secure their internet facing VMware Horizon servers as they were aware that some companies had not been patched. Log4Shell gives attackers the opportunity to implant loader malware onto compromised systems, which contains executables, allowing for a range of remote C2 capabilities. First disclosed in December 2021, this vulnerability was tagged 10/10 critical by NIST, but as the recent security advisory explains, this is continuing to be exploited to provide attackers with initial access to networks. Log4Shell affects Apache Log4j2 2.0-beta9 through to version 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1).

This vulnerability is commonly known as Log4j, or Log4Shell because it gives attackers a shell that allows them to remotely access internet facing Log4j devices. The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint security advisory last week to warn of the active exploitation of CVE-2021-44228.
