NHS cyber team sounds the alarm over Log4Shell attacks on VMware software
Threat actors can use a two-stage attack to establish a presence on affected networks
The NHS cyber alert service has warned that an unknown threat group has been observed attacking VMware Horizon servers using the Log4Shell vulnerability.
VMware Horizon is a widely used virtual desktop infrastructure (VDI) platform that's known to be vulnerable to the Log4Shell flaws in the Log4J Java logging library.
According to VMware, a number of components of the platform are affected by the CVE-2021-44228 and CVE-2021-45046 vulnerabilities, and users are advised to upgrade to a new version or, if that's not possible, implement manual mitigation processes that include disabling lookups from the affected services.
In an online post, the NHS cyber alert service says an unknown threat group has been targeting unpatched Horizon systems in order to establish a presence within the affected networks. Having achieved that objective, the attackers could steal data or deploy malicious software such as ransomware, it warns.
An attack will likely come in two stages. First, hackers make use of the vulnerable Java Naming and Directory Interface (JNDI) for reconnaissance, sending messages back to their command and control infrastructure.
Having identified weak points, they could use the Lightweight Directory Access Protocol (LDAP) to "execute a malicious Java class file to inject a web shell into the VM Blast Secure Gateway service".
Web shell in place, they would then be free to deploy malware or venture further into the network.
A weak point in Horizon is the embedded Apache Tomcat web server, which suffers from the Log4Shell vulnerability. Using this vulnerability, attackers can locate the absg-worker.js file, which is modified to listen for any web requests that containing a specific string, and execute any command received with the string.
Once this has been achieved, the attacker has a reliable foothold within the network and communications with a command and control server.
As a first step to assessing the threat, the NHS team advises organisations to look for the following:
- Evidence of ws_TomcatService.exe spawning abnormal processes
- Any powershell.exe processes containing ‘VMBlastSG' in the commandline
- File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js' - This file is generally overwritten during upgrades, and not modified
Horizon is not the only VMware software affected by Log4Shell. Machines running VMware vCenter Server instance have also been attacked, including by the Conti ransomware gang.
Since it was made public in December, the Log4J vulnerability has been a magnet for threat groups.
Last month researchers at security firm Check Point said they had observed Iranian hacking group APT 35 trying to exploit the bug to target seven entities in the Israeli government and business sector, and Akamai Technologies stated that it had tracked more than 10 million attempts to exploit the Log4j vulnerability per hour in the US.
And on 20th December the Belgian Ministry of Defence confirmed a cyber attack on its computer network that exploited the Log4j vulnerability.