Thursday, March 28, 2024

Hackers Targeting Log4j Flaws in VMware Horizon – NHS

In VMware Horizon servers to establish web shells, the threat actors are actively targeting and exploiting the Log4Shell vulnerabilities. 

The UK’s National Health Service (NHS) has warned about a Log4Shell exploit that is actively targeting the vulnerability that is tracked as “CVE-2021-44228,” it’s a critical arbitrary remote code execution flaw in the Apache Log4j 2.14.

Since December 2021 this vulnerability has been under active and high-volume exploitation by the threat actors.

While here, the affected product is VMware Horizon, and the version that was affected by this critical vulnerability is the:-

  • Horizons Connection Server (64bit) 2006-2111, 7.13.0-7.13.1, 7.10.0-7.10.3

In VMware Horizon, Apache Tomcat is Targeted

On vulnerable VMware Horizon deployments that were made on the public infrastructure, the threat actors are actively leveraged the exploit simply to gain remote code execution (RCE). 

Here’s what the non-departmental public body stated in an alert:-

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure.”

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

In short, with the help of web shell, the threat actors can perform several malicious tasks like:-

  • Deployment of additional malicious software.
  • Data exfiltration.
  • Deployment of ransomware.

Here, the presence of the Apache Tomcat service in VMware Horizon gives efficient advantages to the threat actors, since this service is also vulnerable to Log4Shell.

To perform all these things, with the command and control (C2) server the threat actors establish persistent and stable communication, as it’s one of the key factors.

Flaw Profile

  • CVE ID: CVE-2021-44228
  • Threat ID: CC-4002
  • Threat Severity: Critical
  • CVSS score: 10.0
  • Threat Vector: Exploit
  • Published: 5 January 2022 3:30 PM

Security Advice

Things that are recommended by the experts to look after:-

  • Evidence of ws_TomcatService.exe spawning abnormal processes.
  • Any powershell.exe processes containing ‘VMBlastSG’ in the commandline.
  • File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ (This file is generally overwritten during upgrades, and not modified.)

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles