File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.(Photo : Photo credit should read KIRILL KUDRYAVTSEV/AFP via Getty Images)Ī picture taken on Octoshows an employee walking behind a glass wall with machine coding symbols at the headquarters of Internet security giant Kaspersky in Moscow.Any powershell.exe processes containing ‘VMBlastSG’ in the command line.Evidence of ws_TomcatService.exe spawning abnormal processes.NHS’s report also highlights the following three signs of active exploitation on vulnerable systems:
VMware released a security update for Horizon and other products last month, fixing CVE-2021-44228 and CVE-2021-45046 with versions 2111, 7.13.1, and 7.10.3Īs such, all VMware Horizon admins are urged to apply the security updates as soon as possible. The PowerShell commands help the adversaries in retrieving outputs using a webhook, while all connections employ one of the following legitimate services:Īttack flow digram : log4j flaw in VMWare Horizon Security updates are available “The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.” “Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.” “The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,” explains the alert.
Targeting Apache Tomcat in VMware HorizonĪccording to the NHS notice, the actor is leveraging the exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure.
Log4Shell is an exploit for CVE-2021-44228, a critical arbitrary remote code execution flaw in the Apache Log4j 2.14, which has been under active and high-volume exploitation since December 2021.Īpache addressed the above and four more vulnerabilities via subsequent security updates, and Log4j version 2.17.1 is now considered adequately secure. UK’s National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits.
0 kommentar(er)
