CISA releases indicators of compromise for hard-hit VMware Horizon
State-sponsored advanced persistent threat actors are still exploiting Log4Shell vulnerabilities in unpatched VMware Horizon and Unified Access Gateway servers, the Cybersecurity and Infrastructure Security Agency warned in an updated advisory Monday.
Organizations that did not apply previously released patches or workarounds should “treat all affected VMware systems as compromised,” CISA and the U.S. Coast Guard Cyber Command said in the update.
The federal agencies advise organizations with unpatched VMware systems to hunt for additional indicators of compromise.
A malicious loader that contains a remote access tool provides a vast array of command and control capabilities, according to a malware analysis report published Monday.
A 64-bit Windows loader can be decrypted and loaded into memory during runtime without touching the system’s hard disk. Once the malware embedded in the loader attempts to communicate with the command and control IP address, it can log keystrokes, upload and execute additional payloads, CISA said in the advisory.
This malware also uses more complex methods to hinder the analysis of its code structures and an encryption algorithm to secure network communications.
CISA and the U.S. Coast Guard Cyber Command published a long list of partially decrypted strings of code that VMware customers should hunt for in their systems.
VMware Horizon, a widely used virtual desktop application that allows workers to operate remotely, got hit hard by the Log4j vulnerability. VMware in May found itself entangled in an emergency directive from CISA that impacted up to 10 VMware products.
The recurring vulnerabilities in VMware products present a worrying trend for customers, and the updated advisory further amplifies the threats facing VMware customers.
Gloss