In VMware Horizon servers to establish web shells, the threat actors are actively targeting and exploiting the Log4Shell vulnerabilities.
The UK’s National Health Service (NHS) has warned about a Log4Shell exploit that is actively targeting the vulnerability that is tracked as “CVE-2021-44228,” it’s a critical arbitrary remote code execution flaw in the Apache Log4j 2.14.
Since December 2021 this vulnerability has been under active and high-volume exploitation by the threat actors.
While here, the affected product is VMware Horizon, and the version that was affected by this critical vulnerability is the:-
- Horizons Connection Server (64bit) 2006-2111, 7.13.0-7.13.1, 7.10.0-7.10.3
In VMware Horizon, Apache Tomcat is Targeted
On vulnerable VMware Horizon deployments that were made on the public infrastructure, the threat actors are actively leveraged the exploit simply to gain remote code execution (RCE).
Here’s what the non-departmental public body stated in an alert:-
“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure.”
“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”
In short, with the help of web shell, the threat actors can perform several malicious tasks like:-
- Deployment of additional malicious software.
- Data exfiltration.
- Deployment of ransomware.
Here, the presence of the Apache Tomcat service in VMware Horizon gives efficient advantages to the threat actors, since this service is also vulnerable to Log4Shell.
To perform all these things, with the command and control (C2) server the threat actors establish persistent and stable communication, as it’s one of the key factors.
- CVE ID: CVE-2021-44228
- Threat ID: CC-4002
- Threat Severity: Critical
- CVSS score: 10.0
- Threat Vector: Exploit
- Published: 5 January 2022 3:30 PM
Things that are recommended by the experts to look after:-
- Evidence of ws_TomcatService.exe spawning abnormal processes.
- Any powershell.exe processes containing ‘VMBlastSG’ in the commandline.
- File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ (This file is generally overwritten during upgrades, and not modified.)