Alert - APT actors continue exploitation of Log4Shell in VMware products

Number: AL22-010
Date: 24 June 2022


This Alert is intended for IT professionals and managers of notified organizations.


An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.


On 23 June 2022 the Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) released a joint Cybersecurity Advisory (CSA) Footnote 1. This was released to warn network defenders of continued exploitation of CVE-2021-44228 (Log4Shell) by Advanced Persistent Threat (APT) actors within unpatched VMware Horizon and Unified Access Gateway (UAG) servers.

This CSA contains tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) of the suspected APT activity. These resources can be leveraged by network defenders to determine if malicious activity has occurred and provide recommendations for incident response.

Recommended actions

The Cyber Centre encourages organizations with vulnerable VMware Horizon and UAG systems to:

  • Review the Joint Advisory on mitigating Log4Shell originally released December 2021 and follow the included advice and guidance Footnote 2
  • Review the recent CISA and CGCYBER Alert for additional information Footnote 1
  • Update all affected systems to the latest version
  • Utilize TTPs and IOCs to examine/remediate affected and associated systems

The Cyber Centre has not verified the technical details described in this disclosure and is providing this information as is for situational awareness and potential action. It is important that organizations verify the potential impact on business services and network environments before implementing any of the above or referenced recommended actions.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (, or by telephone (1-833-CYBER-88 or 1-833-292-3788).

Report a problem on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: