Lucene search

K
thnThe Hacker NewsTHN:833B2B9623F1C64D20868B947E8BE4E0
HistoryJan 08, 2022 - 7:04 a.m.

NHS Warns of Hackers Targeting Log4j Flaws in VMware Horizon

2022-01-0807:04:00
The Hacker News
thehackernews.com
185

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

VMware Horizon

The digital security team at the U.K. National Health Service (NHS) has raised the alarm on active exploitation of Log4Shell vulnerabilities in unpatched VMware Horizon servers by an unknown threat actor to drop malicious web shells and establish persistence on affected networks for follow-on attacks.

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,” the non-departmental public body said in an alert. “Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

The web shell, once deployed, can serve as a conduit to carry out a multitude of post-exploitation activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware. VMware Horizon versions 7.x and 8.x are vulnerable to the Log4j vulnerabilities.

VMware Horizon

Log4Shell is an exploit for CVE-2021-44228 (CVSS score: 10.0), a critical arbitrary remote code execution flaw in Apache Log4j 2, an ubiquitous open-source logging framework, which has been put to use as part of different malware campaigns since it came to light in December 2021. An array of hacking groups, ranging from nation-state actors to ransomware cartels, have pounced on the vulnerability to date.

The development also marks the second time VMware products have come under exploitation stemming as a result of vulnerabilities in the Log4j library. Last month, AdvIntel researchers disclosed that attackers were targeting systems running VMware VCenter servers with the aim of installing Conti ransomware.

VMware, for its part, has already released security updates for Horizon, VCenter, and other products last month that have been impacted by Log4Shell, with the virtualization services provider acknowledging scanning attempts in the wild, urging customers to install the patches where applicable or apply workarounds temporarily to counter any potential risk.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Related for THN:833B2B9623F1C64D20868B947E8BE4E0