The National Health Service (NHS) in the UK has issued an alert warning of an unknown gang of hackers targeting VMware Horizon deployments with Log4j vulnerabilities.
Log4Shell is in an exploit within Apache Log4j 2.14, and is classed as vulnerability CVE-2021-44228. The Log4j vulnerabilities have seen high activity since December 2021.
Apache has addressed the Log4j vulnerabilities, and version 2.17.1 is now considered adequately secure
Apache addressed the above and four more vulnerabilities via subsequent security updates, and Log4j version 2.17.1 is now considered adequately secure.
According to the NHS notice, the threat actor is leveraging the exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure.
“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,” explains the alert.
“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”
“The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.”
The actor is taking advantage of the presence of the Apache Tomcat service embedded within VMware Horizon, which is vulnerable to Log4Shell.
The exploitation begins with the simple and widely used payload and spawns the following PowerShell command from Tomcat.
This command invokes a win32 service to get a list of ‘VMBlastSG’ service names, retrieve paths, modify ‘absg-worker.js’ to drop a listener, and then restart the service to activate the implant.
The listener is then responsible for executing arbitrary commands received via HTTP/HTTPS as header objects with a hardcoded string.
At this point, the actor has established persistent and stable communication with the C2 server and can perform data exfiltration, command execution, or deploy ransomware.
VMware Horizon is not the only VMware product targeted by threat actors using the Log4j vulnerabilities.
The Conti ransomware operation is also using Log4j vulnerabilities to spread laterally to vulnerable VMware vCenter servers to more easily encrypt virtual machines.
VMware released a security update for Horizon and other products last month, fixing CVE-2021-44228 and CVE-2021-45046 with versions 2111, 7.13.1, and 7.10.3
As such, all VMware Horizon admins are urged to apply the security updates as soon as possible.
NHS’s report also highlights the following three signs of active exploitation on vulnerable systems:
- Evidence of ws_TomcatService.exe spawning abnormal processes
- Any powershell.exe processes containing ‘VMBlastSG’ in the command line
- File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ – This file is generally overwritten during upgrades and not modified
Protection Against Log4j Vulnerabilities
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.