Bad Actors Continue to Exploit Log4Shell Vulnerabilities

September 7, 2022

By: Martin T. Shepherd , Rebeca Himena Miller

Takeaway: CISA and CGYBER recommend all organizations who did not immediately apply available patches to assume Log4Shell compromise and initiate threat hunting activities.


In December 2021, the world was held hostage by hackers who found certain vulnerabilities in Log4Shell and exploited them. As part of this exploitation, suspected and advanced threat actors implanted loader malware on compromised systems with embedded directives enabling remote command and control. A confirmed compromise showed that these actors were able to infiltrate a disaster recovery network and collect sensitive data.

Cybersecurity agencies and governmental policy bodies acted immediately against these threats and released patches and Malware Analysis Reports MAR-10382580-1 and MAR-10382254-1 detailing hack workarounds. But the threat was omnipresent.

The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGYBER) recently released a warning in July to network defenders that cyber threat actors continue to exploit CVE-2021-4423 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to infiltrate organizations that failed to apply patches.

Organizations are encouraged to read MAR-10382254-1 which provides examples of malware samples including indicators of comprise (IOCs) and detection signatures.

What organizations must do now is:

  • Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, organizations must treat all affected VMware systems as compromised.
  • Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.

For the full article and specific examples of Log4Shell threat events, go to:

https://www.cisa.gov/uscert/ncas/alerts/aa22-174a

* This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional attorney. Readers are urged to consult their own legal counsel or reach out to any of Pietragallo’s attorneys on any legal questions concerning a specific situation.

News & Events

Related News

Pietragallo Adds Cybersecurity Lawyer Martin T. Shepherd
October 7, 2021
Martin T. Shepherd, a well-known and respected litigation lawyer, has joined Pietragallo Gordon Alfano Bosick & Raspanti, LLP in the firm’s Commercial Litigation team and as head of the firm’s Diversity Initiative. Read More
View More News & Events