- NHS Digital, an information technology partner for the U.K. health system, said threat actors are targeting Log4Shell vulnerabilities in VMware Horizon to to create web shells, which can be used to steal data, introduce additional malicious software or launch a ransomware attack.
- VMware Horizon is a widely used virtual desktop application that allows workers to operate remotely and VMware issued security updates for its software following the initial Log4J vulnerability disclosures in December. The NHS Digital alert did not specify whether the activity was related to activity seen within the health service or if it involved other targets.
- "CISA is aware of the NHS alert regarding potential targeting of VMware products," a spokesperson for the Cybersecurity and Infrastructure Security Agency said via email. CISA is working with government and private industry officials to understand potential risks to federal agencies and critical infrastructure.
The attackers are likely using the Java Naming and Directory Interface during the initial reconnaissance phase as a call back method using Log4Shell payloads, according to NHS Digital. The Lightweight Directory Access Protocol is then used to execute a malicious Java class file in order to insert a web shell into the VM Blast Secure Gateway service, according to NHS Digital.
"We are supporting our partners with the system response to this critical vulnerability and will continue to provide guidance to NHS organizations," a spokesman for NHS said in an emailed statement. "This includes guidance on how to prevent and detect exploitation techniques that could be used by threat actors."
Government officials in the U.K. are working with U.S. and other allied agencies on efforts to fight the growing number of threat actors looking to take advantage of the Log4j vulnerability to launch attacks.
Security researchers from Microsoft, Mandiant, CrowdStrike, and other firms warned that various criminal and nation-state affiliates have launched reconnaissance and more direct attacks on targets in an attempt to exploit the Log4j vulnerability. The threat is considered extremely dangerous because attackers do not need a high level of sophistication or experience to initiate attacks with this vulnerability.
"What is most interesting, and makes this problem so pernicious is that the vulnerability was uncovered in a subsystem of VMWare Horizon, Apache Tomcat, which is a widely used application server," said Jonathan Care, Gartner senior research director. "Tomcat uses Log4j to perform logging services, and so the vulnerability is exposed."
In response to last week's NHS Digital alert, VMware issued a similar statement to the one it provided in December regarding how it prioritizes the security of its customers and pointed to the statement it issued in a Dec. 10 security advisory VMSA-2021-0028. The company also noted that any service connected to the internet that is not patched against CVE-2021-44228 and CVE-2021-45046 is vulnerable to hackers and should be patched.