Tuesday, June 18, 2024

Hackers Targeting Log4j Flaws in VMware Horizon – NHS

In VMware Horizon servers to establish web shells, the threat actors are actively targeting and exploiting the Log4Shell vulnerabilities. 

The UK’s National Health Service (NHS) has warned about a Log4Shell exploit that is actively targeting the vulnerability that is tracked as “CVE-2021-44228,” it’s a critical arbitrary remote code execution flaw in the Apache Log4j 2.14.

Since December 2021 this vulnerability has been under active and high-volume exploitation by the threat actors.

While here, the affected product is VMware Horizon, and the version that was affected by this critical vulnerability is the:-

  • Horizons Connection Server (64bit) 2006-2111, 7.13.0-7.13.1, 7.10.0-7.10.3

In VMware Horizon, Apache Tomcat is Targeted

On vulnerable VMware Horizon deployments that were made on the public infrastructure, the threat actors are actively leveraged the exploit simply to gain remote code execution (RCE). 

Here’s what the non-departmental public body stated in an alert:-

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure.”

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

In short, with the help of web shell, the threat actors can perform several malicious tasks like:-

  • Deployment of additional malicious software.
  • Data exfiltration.
  • Deployment of ransomware.

Here, the presence of the Apache Tomcat service in VMware Horizon gives efficient advantages to the threat actors, since this service is also vulnerable to Log4Shell.

To perform all these things, with the command and control (C2) server the threat actors establish persistent and stable communication, as it’s one of the key factors.

Flaw Profile

  • CVE ID: CVE-2021-44228
  • Threat ID: CC-4002
  • Threat Severity: Critical
  • CVSS score: 10.0
  • Threat Vector: Exploit
  • Published: 5 January 2022 3:30 PM

Security Advice

Things that are recommended by the experts to look after:-

  • Evidence of ws_TomcatService.exe spawning abnormal processes.
  • Any powershell.exe processes containing ‘VMBlastSG’ in the commandline.
  • File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ (This file is generally overwritten during upgrades, and not modified.)

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles