Just over a month after the details of the initial Apache Log4j vulnerability surfaced, attacks against infrastructure running vulnerable versions of the application are continuing, including a recent furry of attacks targeting VMware Horizon servers by an unidentified threat actor group.
VMware Horizon server versions 8.x and 7.x are vulnerable to two of the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), and officials with the UK’s National Health Service Digital said that an attack group is exploiting those two flaws to install webshells on compromised servers to maintain persistence. Webshells are an increasingly popular technique for attackers looking for a trivial method of preserving persistence on Internet-facing servers that they compromise. They are basic, small files that can quickly go unnoticed on a server and give an attacker remote access and the ability to execute further commands on the machine. Since the beginning of the Log4j saga in early December, various attackers have been installing webshells after exploiting one of the multiple flaws in the logging service.
The attacks targeting vulnerable VMware Horizon servers specifically exploit the Apache Tomcat service running on those servers. The attackers are using a specific PowerShell command spawned from the Tomcat service.
“The executed command invokes Get-WMIObject on win32_service, returning a list of service names containing 'VMBlastSG'. It identifies the file path for the service, replaces instances of 'nssm.exe' with 'lib/absg-worker.js' and writes this path to $path, thereby identifying the location of the 'absg-worker.js' file for the targeted VMware Horizon instance,” the advisory from NHS Digital says.
“This writes a code block to $expr that listens for any web requests containing a specific, hardcoded string in the URI before executing arbitrary commands contained in the 'data' header object. The output is delivered to the attacker via 'replyError' where requests contained the specified string, otherwise a standard error message is returned.”
Eventually, the attackers restart the VMBLastSG service in order to start a listener that communicates with the command-and-control server. The listener will run commands from the server that contain a specific hardcoded key.
“The commands are stored as a header object (named 'data') in the crafted requests. This process is used to establish persistent communication with a command and control server that could then be used to carry out other malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware,” the advisory says.
The NHS Digital team has not identified the threat actors targeting VMware Horizon servers in these attacks, but since the first disclosures of the Log4j bug a wide variety of attack groups have been exploiting it. APT groups, lone actors, and cybercrime groups have been seen exploiting one or more of the Log4j flaws disclosed in the last few weeks. There have been some reports of isolated ransomware attacks following exploitation of Log4j bugs, but the widespread ransomware wave that many researchers feared might hit has not materialized yet.
We can help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.