Saturday, April 27, 2024

Hackers Targeting Log4j Flaws in VMware Horizon – NHS

By Guru baran

Log4j Flaws VMware

In VMware Horizon servers to establish web shells, the threat actors are actively targeting and exploiting the Log4Shell vulnerabilities. 

The UK’s National Health Service (NHS) has warned about a Log4Shell exploit that is actively targeting the vulnerability that is tracked as “CVE-2021-44228,” it’s a critical arbitrary remote code execution flaw in the Apache Log4j 2.14.

Since December 2021 this vulnerability has been under active and high-volume exploitation by the threat actors.

While here, the affected product is VMware Horizon, and the version that was affected by this critical vulnerability is the:-

  • Horizons Connection Server (64bit) 2006-2111, 7.13.0-7.13.1, 7.10.0-7.10.3

In VMware Horizon, Apache Tomcat is Targeted

On vulnerable VMware Horizon deployments that were made on the public infrastructure, the threat actors are actively leveraged the exploit simply to gain remote code execution (RCE). 

Here’s what the non-departmental public body stated in an alert:-

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure.”

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

In short, with the help of web shell, the threat actors can perform several malicious tasks like:-

  • Deployment of additional malicious software.
  • Data exfiltration.
  • Deployment of ransomware.

Here, the presence of the Apache Tomcat service in VMware Horizon gives efficient advantages to the threat actors, since this service is also vulnerable to Log4Shell.

To perform all these things, with the command and control (C2) server the threat actors establish persistent and stable communication, as it’s one of the key factors.

Flaw Profile

  • CVE ID: CVE-2021-44228
  • Threat ID: CC-4002
  • Threat Severity: Critical
  • CVSS score: 10.0
  • Threat Vector: Exploit
  • Published: 5 January 2022 3:30 PM

Security Advice

Things that are recommended by the experts to look after:-

  • Evidence of ws_TomcatService.exe spawning abnormal processes.
  • Any powershell.exe processes containing ‘VMBlastSG’ in the commandline.
  • File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ (This file is generally overwritten during upgrades, and not modified.)

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Managed WAF Protection

Website

Latest articles

CVE/vulnerability

NETGEAR buffer Overflow Vulnerability Let Attackers Bypass Authentication

Some router models have identified a security vulnerability that allows attackers to bypass authentication.To...
CVE/vulnerability

5000+ CrushFTP Servers Hacked Using Zero-Day Exploit

Hackers often target CrushFTP servers as they contain sensitive data and are used for...
Cyber Attack

13,142,840 DDoS Attacks Targeted Organization Around The Globe

DDoS attacks are a significant and growing risk that can overpower websites, crash servers,...
CVE/vulnerability

Hackers Exploit Old Microsoft Office 0-day to Deliver Cobalt Strike

Hackers have leveraged an old Microsoft Office vulnerability, CVE-2017-8570, to deploy the notorious Cobalt...
Cyber Attack

Microsoft Publicly Releases MS-DOS 4.0 Source Code

In a historic move, Microsoft has made the source code for MS-DOS 4.0, one...
Cyber Attack

New SSLoad Malware Combined With Tools Hijacking Entire Network Domain

A new attack campaign has been discovered to be employed by the FROZEN#SHADOW, which...
Cyber Security News

Palo Alto Networks Shares Remediation Advice for Hacked Firewalls

Palo Alto Networks has issued urgent remediation advice after discovering a critical vulnerability, designated...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]