Posted on January 10, 2022 at 7:37 PM

Hackers exploiting a flaw on VMware Horizon servers to launch attacks

The UK National Health Service (NHS) has issued a report on the Log4Shell vulnerabilities in VMware Horizon servers. The report notes that a threat actor is exploiting a flaw in these unpatched servers, noting that the threat actor behind the attack has not been identified.

The digital security team at the NHS noted that the attackers were looking for unpatched flaws in VMware Horizon servers, with the threat actors behind the attack being unknown.

Unknown threat actors exploiting a flaw on VMware Horizon servers

The report noted that an unknown threat actor was using the vulnerability to send malicious web shells and create a persistent attack mode. As such, they conducted consecutive attacks on the servers.

In the alert, the NHS noted, “The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to callback to malicious infrastructure.”

Additionally, the report stated that once the threat actor identified the weakness, they went ahead to use the Lightweight Directory Access Protocol (LDAP) to retrieve a malicious Java class file. This file was later executed, such that it introduced a web shell into the VM Blast Secure Gateway service.

The web shell was then deployed, after which it served as a tool to be used in carrying out a variety of attacks. After the initial attack was launched, a series of post-exploitation activities were also conducted. These activities were used for various things, including deploying malicious software, exfiltrating data, or deploying ransomware.

As mentioned earlier, the exploit is being conducted on VMware Horizon servers that have not been patched. The Log4j vulnerabilities are present on versions7.x and 8.x of the VMware Horizon servers.

Not the first time the flaw is being detected

Log4Shellis a vulnerability with a CVE-2021-44228 and a CVSS score of 100. It is also a critical arbitrary remote code execution flaw present in Apache Log4j 2, an open-source logging framework. It has been executed as part of various malware campaigns since its launch in December last year.

Given the broad reach, the flaw has attracted a wide range of threat actors looking to exploit it. Nation-state hackers and ransomware attackers have been at the forefront of taking advantage of the vulnerability and gaining access to users.

This is not the first time for VMware products to be exploited. The products have been exploited in the past due to the flaws that remain unpatched in the Log4j library. In December last year, a report of an attack conducted using this vulnerability was published.

Researchers from AdvIntel noted that the threat actors were targeting systems that operated the servers on VMware VCenter. The objective of these attacks was to install the Conti ransomware on devices and gain access to users and their devices.

Additionally, VMware is looking to release security patches for various products. The security patches have been released for Horizon, VCenter and a wide range of other products. The patches were implemented last month, which could have been triggered by Log4Shell.

The platform further urged users to install the patches where needed. The platform also added that clients could work on other solutions on a temporary basis to counter the potential of any risks.

Additionally, the report from NHS provided several tips that users could follow to reduce the potential risk of falling victim to the exploitation of this vulnerability. The body noted that organizations needed to look out for signs that their servers could be exploited by the attack.

The report noted that one piece of evidence to detect whether a system has been exploited is the “ws_TomcatService.exe spawning abnormal processes. Detecting such vulnerabilities early could ensure that the organizations do not suffer from major damages in the future.

The other thing organizations need to look out for is “any powershell.exe processes containing VMBlastSG in the commandline.” This could also help the organization discover a potential attack on its servers and give it a proactive approach in detecting and taming the attack before it happens.

The report also includes “file modifications to ‘…/VMware/VMwareView/Server/appblastgateway/lib/absg-worker.js’ – This file is generally overwritten during upgrades and not modified.

The NHS has been vigilant in promoting cybersecurity in the healthcare sector. The sector has been facing increasing cyberattacks, with sensitive patient data being accessed by threat actors. The number of attacks on healthcare facilities has especially intensified during the pandemic. As such, the NHS has been committed to safeguarding sensitive data and ensuring organizations have the right systems in place to battle these malicious attacks.