The U.S. Cybersecurity and Infrastructure Agency and the Coast Guard Cyber Command today warned network defenders that Log4Shell vulnerabilities are still being targeted by hackers.

Log4Shell first emerged in December and actively targeted vulnerabilities found in Apache Log4j, open-source software used by numerous companies. The initial vulnerabilities, including subsequent others, allow hackers to access affected systems. The exploits were targeted by not only run-of-the-mill criminal hackers but also state-sponsored hacking groups as well.

The new warning states that cyberhreat actors, including state-sponsored advanced persistent threat actors, have continued to exploit the original vulnerability, named CVE-2021-44228, in VMware Horizon and Unified Access Gateway services. Hackers exploit the vulnerability to gain access where organizations did not apply available patches.

The full alert details several recent cases where hackers have successfully exploited the vulnerability to gain access. In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim’s network.

CISA and the Coast Guard recommend that all organizations install updated builds to ensure affected VMware Horizon and UAG systems are running the latest version.

The alert added that the organizations should always keep software up to date and prioritize patching known exploited vulnerabilities. Internet-facing attack surfaces should be minimized by hosting essential services on a segmented demilitarized zone. Doing so ensures strict network perimeter access controls and not hosting internet-facing services that aren’t essential to business operations.

“This vulnerability has followed a typical path — after the initial discovery, there was a flurry of patching by security-conscious organizations and then it dropped out of the news,” Kumar Saurabh, chief executive officer and co-founder of managed detection and response company LogicHub Inc., told SiliconANGLE. “But there are always servers that get missed or organizations that don’t keep up with patching.”

Saurabh added that vulnerabilities can stay around for a long time and continue to be exploited as long as there are gaps. “It’s critical that we remain vigilant about any exploit, even if it’s been checked off the list as ‘done,’” he said.

Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., noted that although patching can be a challenge and can even pose a real risk of an outage if there are problems, any organizations that have internet-facing devices should have a system in place and testing, to reduce the risk significantly.

“The guidance issued by CISA and CGCYBER, that unpatched VMware servers vulnerable to the Log4Shell remote code execution vulnerability should be considered already compromised, only goes to underscore the severity of this vulnerability and the capabilities of the actors that are exploiting it,” Kron said.

Images: Apache