Wednesday, June 19, 2024

UK: NHS Warns of Hackers Exploiting Log4Shell

The UK’s National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits.

Log4Shell is an exploit for CVE-2021-44228, a critical arbitrary remote code execution flaw in the Apache Log4j 2.14, which has been under active and high-volume exploitation since December 2021.

Apache addressed the above and four more vulnerabilities via subsequent security updates, and Log4j version 2.17.1 is now considered adequately secure.

Hackers Targeting Apache Tomcat in VMware Horizon with Log4Shell

According to the NHS notice, the actor is leveraging the exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure.

This comes just two days after we were able to report that Microsoft issued a very similar warning, in that log4j attacks remain rampant into 2022. See here

log4shell nhs

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,” explains the alert.

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

“The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.”

The actor is taking advantage of the presence of the Apache Tomcat service embedded within VMware Horizon, which is vulnerable to Log4Shell.

The exploitation begins with the simple and widely used “${jndi:ldap://}” payload and spawns the following PowerShell command from Tomcat.

PowerShell command  log4shell
PowerShell command spawned by Tomcat
Source: NHS

This command invokes a win32 service to get a list of ‘VMBlastSG’ service names, retrieve paths, modify ‘absg-worker.js’ to drop a listener, and then restart the service to activate the implant.

Recommended:  Cyberattack disrupts Bulgarian government websites over ‘betrayal to Russia’

The listener is then responsible for executing arbitrary commands received via HTTP/HTTPS as header objects with a hardcoded string.

At this point, the actor has established persistent and stable communication with the C2 server and can perform data exfiltration, command execution, or deploy ransomware.

Attack flow diagram
Source: NHS
Attack flow diagram
Source: NHS

VMware Horizon is not the only VMware product targeted by threat actors using the Log4j vulnerability.

The Conti ransomware operation is also using Log4Shell to spread laterally to vulnerable VMware vCenter servers to more easily encrypt virtual machines.

Security updates are available

VMware released a security update for Horizon and other products last month, fixing CVE-2021-44228 and CVE-2021-45046 with versions 2111, 7.13.1, and 7.10.3

As such, all VMware Horizon admins are urged to apply the security updates as soon as possible.

NHS’s report also highlights the following three signs of active exploitation on vulnerable systems:

  1. Evidence of ws_TomcatService.exe spawning abnormal processes
  2. Any powershell.exe processes containing ‘VMBlastSG’ in the command line
  3. File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ – This file is generally overwritten during upgrades and not modified

Is log4shell the worst security vulnerability of the decade?

ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates