The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint security advisory last week to warn of the active exploitation of CVE-2021-44228. This vulnerability is commonly known as Log4j, or Log4Shell because it gives attackers a shell that allows them to remotely access internet facing Log4j devices. 

Log4Shell affects Apache Log4j2 2.0-beta9 through to version 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1). First disclosed in December 2021, this vulnerability was tagged 10/10 critical by NIST, but as the recent security advisory explains, this is continuing to be exploited to provide attackers with initial access to networks. Log4Shell gives attackers the opportunity to implant loader malware onto compromised systems, which contains executables, allowing for a range of remote C2 capabilities.  

VMware strongly urged their customers in January to secure their internet facing VMware Horizon servers as they were aware that some companies had not been patched. This is an ongoing issue, and many organisations have still not yet updated their VMware Horizon or Unified Access Gateway (UAG) devices, and running unpatched systems, exposing them to this threat. CISA have advised that all organisations in this position treat their VMware systems as if they have been compromised and activate an incident response procedure immediately.  

Case Studies demonstrate the danger 

Two related case studies of confirmed compromises resulting from this vulnerability being exploited were detailed in last week’s alert. In one instance, the malicious code contained a modified version of a legitimate Microsoft Windows service: SysInternals LogonSessions software. This was found to be running at the highest possible privilege level on a Windows system, but it is currently unknown how the attackers successfully caused this elevation of privilege. The embedded executable in this attack was a remote access tool that allowed for a range of C2 (Command & Control) capabilities. These included the ability to log keystrokes, providing GUI access over a target Window’s system desktop, and attackers could upload and execute additional payloads. Attackers could also use the malware as a C2 tunnelling proxy, which allowed them to mover further into the network and pivot to other systems.   

The Windows loader, hmsvc, first creates a Scheduled Task, which will execute the malware every hour. When this occurs, two *.tmp files are written to the disk location to attempt to connect to the hard-coded C2 server, over a non-standard port, 4443. The embedded executable used in this attack has inbound and outbound communications encrypted with a 128-bit key. The most common port used for outbound connections was 1389, although multiple unique destination addresses were used for Log4Shell call-back. 

In the other case study, the malicious actors were found to be utilising PowerShell scripts through HTTP, triggering the downloading of malicious files. This was performed by the attackers gaining initial access to the VMware Horizon server, however once this attack occurred, they then moved laterally to multiple other hosts in the production environment, via the Remote Desktop Protocol (RDP). This gave the attackers access to multiple secure servers, including a database containing sensitive law enforcement data, and lateral movement to the organisation’s disaster recovery network.  

Credentials for multiple accounts, including administrator accounts, were obtained during this attack, but the method for how these were acquired is currently unknown. Administrator accounts were used to run the loader malware, which included modified version of SysInternals LogonSessions, Du, or PsPing software. The remote attackers could then access C2 capabilities, such as the ability to remotely monitor a system’s desktop, gain reverse shell access, and exfiltrate data. In the same way as with the first case study, attackers could also upload and execute additional payloads, and could use the malware as a proxy.  

This is as bad as it gets 

Organisations are advised to treat all unpatched systems as having been compromised.  

CISA and CGCYBER recommend the following steps for how to proceed in this situation: 

• Immediately isolate affected systems.  
• Collect and review relevant logs, data, and artifacts. 
• Consider soliciting support from a third-party incident response organization. They can provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation. 
• American organisations are advised to report all known incidents to CISA [email protected] or the US Coast Guard National Response Centre [email protected].  
• UK based organisations should report incidents to the NCSC at https://report.ncsc.gov.uk/  

Any systems that have not been patched since the December and January VMware updates were released should be updated in order to ensure the system is protected. While these updates are being applied, organisations should consider removing any vulnerable components from the internet to limit the scope of traffic. All network perimeter access controls should also be reviewed, to ensure they are as restrictive as possible.  

Some temporary workarounds are also possible if updates cannot be applied immediately. This includes minimising the internet facing attack surface by implementing a segregated demilitarised zone (DMZ) where essential services can be hosted. This should include strict network perimeter access controls, and should not host any internet facing services that are non-essential to business operations. Regularly updated web application firewalls (WAFs) should also be implemented in front of public-facing services to further protect against exploitation. WAFs can block malicious traffic and alert the organisation so further steps can be taken to prevent any other hacking attempts.  

How to protect your organisation 

We just don’t know what the next critical vulnerability will be that could leave our networks vulnerable, but we do know what the basic steps are that every organisation can take to improve their baseline level of security: 

The NCSC advice is to update all software and devices promptly, within a few days of the patch release if possible. It is important to prioritise the updates of systems in the same way hackers will prioritise their attacks – if they are targeting the most dangerous critical vulnerabilities, then you should be too. Consider having a system in place to learn about what vulnerabilities affect your networks, and how severe an exploitation could be on your unique network. To ensure timely updates, you could speed the introduction and testing of security patches by configuring test and development systems to apply patches automatically, and then patch production systems as soon as you have confidence in the new software. 

Using the principle of least privilege when setting up user accounts helps to limit access to areas of the network with more sensitive data, so users have just enough access to complete their work, but nothing more. This can provide extra protection for more sensitive files, because when malicious users gain access to a system, their access is limited to the permissions of the account they have compromised. So, using the principle of least privilege helps limit the value of any one compromised account.  

All your system admins should have two accounts, one for every-day activities like reading email and surfing the web, and another only used when ‘admin’ rights are really required. All accounts can be further protected through the use of multi-factor authentication and enforcing strong password policies, which both reduce the risk of the account becoming compromised.