APT Groups Swarming on VMware Servers with Log4Shell

Organizations with public-facing VMware Horizon and Unified Access Gateway (UAG) servers without appropriate Log4Shell mitigations have been under a barrage of attacks from a range of attackers, including state-sponsored advanced persistent threat (APT) actors.

In fact, a new Cybersecurity and Infrastructure Agency (CISA) alert tells organizations running servers without Log4Shell updates to just assume they've been compromised and proceed with threat hunting and incident response. CISA added that in one instance, APT attackers were able to breach a disaster recovery network, move laterally, and steal sensitive data.

"If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA," the warning, issued along with the US Coast Guard Cyber Command (CGCYBER), said.

CISA also provides a list of indicators of compromise (IOC) and extensive technical details for threat hunters.