Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2633" data-attributes="member: 3"><p><h3><span style="color: rgb(251, 160, 38)">Severity: Medium</span> <span style="color: rgb(0, 168, 133)">TLP: Green</span> NHS Warns of Hackers Exploiting Log4shell in VMware Horizon</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> <li data-xf-list-type="ol"><strong>Cybercriminal Attack</strong></li> </ol><p><strong>NHS Warns of Hackers Exploiting Log4shell in VMware Horizon</strong></p><p><strong></strong></p><p><strong>Summary:</strong></p><p>VMware Horizon supports local, hybrid (local but managed in the cloud) and multi-cloud deployment strategies. End users can access custom virtual desktops or remote RDSH applications from company laptops, home PCs, Mac computers, thin clients, or mobile devices.</p><p></p><p>“According to the NHS notice, the actor is leveraging the Log4shell exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure. The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4J Shell payloads to call back malicious infrastructure," explains the alert.</p><p></p><p>Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.</p><p></p><p><strong>Analyst Comments:</strong></p><p>This is not the first time we have observed threat actors leveraging vulnerabilities to deploy web shells on systems. Web shells can be difficult to identify and stop once deployed. They are often used to facilitate remote administration. When weaponized, a web shell could allow threat actors to modify files and even access the root directory of the targeted webs server and systems. The Chinese state-sponsored group Hafnium leveraged Microsoft vulnerabilities to deploy web shells on Exchange servers in widespread attacks previously. In a controversial effort, the FBI removed the shells from company systems.</p><p></p><p><strong>Mitigation:</strong></p><p>Likely, organizations are still in the process of identifying products and services that utilize Log4j. Patching and applying mitigation measures will be an ongoing effort for some time.</p><p></p><p><strong>Source:</strong></p><p><a href="https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploiting-log4shell-in-vmware-horizon/" target="_blank">https://www.bleepingcomputer.com/ne...ckers-exploiting-log4shell-in-vmware-horizon/</a></p><p><a href="https://digital.nhs.uk/cyber-alerts/2022/cc-4002" target="_blank">https://digital.nhs.uk/cyber-alerts/2022/cc-4002</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2633, member: 3"] [HEADING=2][COLOR=rgb(251, 160, 38)]Severity: Medium[/COLOR] [COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] NHS Warns of Hackers Exploiting Log4shell in VMware Horizon[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [*][B]Cybercriminal Attack[/B] [/LIST] [B]NHS Warns of Hackers Exploiting Log4shell in VMware Horizon Summary:[/B] VMware Horizon supports local, hybrid (local but managed in the cloud) and multi-cloud deployment strategies. End users can access custom virtual desktops or remote RDSH applications from company laptops, home PCs, Mac computers, thin clients, or mobile devices. “According to the NHS notice, the actor is leveraging the Log4shell exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure. The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4J Shell payloads to call back malicious infrastructure," explains the alert. Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service. [B]Analyst Comments:[/B] This is not the first time we have observed threat actors leveraging vulnerabilities to deploy web shells on systems. Web shells can be difficult to identify and stop once deployed. They are often used to facilitate remote administration. When weaponized, a web shell could allow threat actors to modify files and even access the root directory of the targeted webs server and systems. The Chinese state-sponsored group Hafnium leveraged Microsoft vulnerabilities to deploy web shells on Exchange servers in widespread attacks previously. In a controversial effort, the FBI removed the shells from company systems. [B]Mitigation:[/B] Likely, organizations are still in the process of identifying products and services that utilize Log4j. Patching and applying mitigation measures will be an ongoing effort for some time. [B]Source:[/B] [URL='https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploiting-log4shell-in-vmware-horizon/']https://www.bleepingcomputer.com/ne...ckers-exploiting-log4shell-in-vmware-horizon/[/URL] [URL]https://digital.nhs.uk/cyber-alerts/2022/cc-4002[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu