Friday, May 3, 2024
HomeVulnerabilitiesHackers exploiting Log4Shell in VMware Horizon
Vulnerabilities

Hackers exploiting Log4Shell in VMware Horizon

By Sneha
0
358

UK’s National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits.

Log4Shell is an exploit for CVE-2021-44228, a critical arbitrary remote code execution flaw in the Apache Log4j 2.14, which has been under active and high-volume exploitation since December 2021.

Apache addressed the above and four more vulnerabilities via subsequent security updates, and Log4j version 2.17.1 is now considered adequately secure.

Targeting Apache Tomcat in VMware Horizon

According to the NHS notice, the actor is leveraging the exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure.

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,” explains the alert.

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

“The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.”

The PowerShell commands help the adversaries in retrieving outputs using a webhook, while all connections employ one of the following legitimate services:

  • transfer.sh
  • pastebin.com
  • webhook.site
  • ufile.io
  • raw.githubusercontent.com
Attack flow digram : log4j flaw in VMWare Horizon

Security updates are available

VMware released a security update for Horizon and other products last month, fixing CVE-2021-44228 and CVE-2021-45046 with versions 2111, 7.13.1, and 7.10.3

As such, all VMware Horizon admins are urged to apply the security updates as soon as possible.

NHS’s report also highlights the following three signs of active exploitation on vulnerable systems:

  1. Evidence of ws_TomcatService.exe spawning abnormal processes
  2. Any powershell.exe processes containing ‘VMBlastSG’ in the command line
  3. File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ – This file is generally overwritten during upgrades and not modified
Previous articleCSIA Publishes Free Cybersecurity Services And Tools
Next articleIce Phishing Threat issued by Microsoft on Web3 and Decentralized Networks
Sneha
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Load more

Recent Comments

722 Ransomware Attacks Occurred in last 3 months, and its rising - Cybermetrics on Ukrainian couple arrested for spreading Ransomwares
722 Ransomware Attacks Occurred in last 3 months, and its rising - Cybermetrics on Cuban Ransomware hacks Microsoft Exchange Servers
Santhosh Gunasekaran on Microsoft suspends new sales in Russia: other firms join hands with Microsoft
Hackers exploiting Log4Shell in VMware Horizon - Cybermetrics on Special Report – Apache Log4j Vulnerability (CVE-2021-44228)
CSIA Publishes Free Cybersecurity Services And Tools - Cybermetrics on Zero Trust Architecture by NIST

© cybermetrics, 2022