Log4Shell Update: VMware Horizon Targeted
Attackers have been actively targeting Log4j, or Log4shell, vulnerabilities in the servers of virtualization solution VMware Horizon to establish persistent access via web shells, according to an alert by the U.K. National Health Service.
The web shells could allow unauthenticated attackers to remotely execute commands on a server affected by Log4Shell vulnerabilities to establish persistence within affected networks, the alert says, and adds that an attacker can use these web shells to deploy malicious software or ransomware and exfiltrate data.
"The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory Interface (JNDI) via Log4Shell payloads to call back to malicious infrastructure," according to the alert. "Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service." VMware did not immediately respond to Information Security Media Group's request for additional information.