Log4Shell Update: VMware Horizon TargetedWeb Shells Likely Used to Carry Out Malicious Activity, NHS Says
Attackers have been actively targeting Log4j, or Log4shell, vulnerabilities in the servers of virtualization solution VMware Horizon to establish persistent access via web shells, according to an alert by the U.K. National Health Service.
The web shells could allow unauthenticated attackers to remotely execute commands on a server affected by Log4Shell vulnerabilities to establish persistence within affected networks, the alert says, and adds that an attacker can use these web shells to deploy malicious software or ransomware and exfiltrate data.
"The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory Interface (JNDI) via Log4Shell payloads to call back to malicious infrastructure," according to the alert. "Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service."
VMware did not immediately respond to Information Security Media Group's request for additional information.
The Log4j vulnerability can be triggered in VMWare Horizon via a simple GET request using a malformed header, which allows the attacker to perform simple mass exploitation, says Matthew Warner, CTO and co-founder of automated threat detection and response technology firm Blumira.
"As with all other Log4j weaponized attacks, this incident emphasizes the importance of knowing your attack surface and taking the necessary steps to reduce exposure. Unpatched and internet-facing servers will always be at risk; in no situation should VMWare Horizon be exposed directly to the internet without a VPN," he tells ISMG.
Currently some 25,000 Horizon servers are internet-accessible worldwide. And based on a dataset of 180, 10% have been backdoored with a modified absg-worker.js web shell, cybersecurity firm Huntress says, citing its own researchers and Shodan data.
"It’s important to note that about 34% (62) of the 180 Horizon servers we analyzed were unpatched and internet-facing at the time of this publication. The web shells on these 18 compromised systems established a timeline that started on Dec. 25, 2021, and continued until Dec. 29, 2021," the Huntress post says.
On Friday, the Huntress team was tipped off by managed antivirus detection solution provider Microsoft Defender about exploitation of the Log4Shell vulnerability in VMware Horizon. At the time, the bug was used to deliver the Cobalt Strike implant, Huntress researchers say.
The DFIR Report and Red Canary also reported similar behavior around the same time, confirming a PowerShell-based downloader executed a Cobalt Strike payload that was configured to call back to 185.112.83[.]116 for command and control (see: Block This Now: Cobalt Strike and Other Red-Team Tools).
"Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage," the digital forensics and incident response threat intelligence group The DFIR Report says.
The report also says that the Cobalt Strike is chosen for the second stage of the attack because it offers enhanced post-exploitation capabilities and ease of use and extensibility.
But the Huntress researchers claim that their statistics suggest these Cobalt Strike deployments were exploitations of Horizon itself and not the abuse of web shells.
"This conclusion is largely based on analysis of the PowerShell payload's parent process where web shell abuse spawns from node.exe while exploitation of Log4Shell in Horizon spawns from ws_tomcatservice.exe," the researchers say.
When VMware Horizon is exploited with #Log4Shell - you will see malicious activity spawn from a Tomcat process named “ws_TomcatService.exe”— Christopher Glyer (@cglyer) January 11, 2022
DEV-0401 commonly uses DLL side loading with the legitimate McAfee executable “mfeann.exe” to spawn their backdoor malware
Detection and Mitigation
The Huntress researchers suggest performing the following actions for detection:
- Run VMware’s Horizon Mitigation tool to report a vulnerable Log4j library or child process-based web shell present under the installation location with the following command: Horizon_Windows_Log4j_Mitigation.bat /verbose.
- Manually inspect/assess the files within %ProgramFiles%VMwareVMware ViewServerappblastgateway for the presence of the child_process string.
- Review records for evidence of node.exe or ws_TomcatService.exe spawning abnormal processes to include PowerShell.
"This new wave of coordinated hacking emphasizes the criticality of patching these servers immediately. VMware has produced detailed guidance to help you address these security vulnerabilities," the researchers say.
If a user discovers a web shell, VMware recommends that they take down the system and engage an incident response team to fully assess the compromise. The Huntress researchers recommend that the user restore data from a backup prior to Dec. 25 to remove the web shell.
"With that said, it’s entirely possible attackers exploited CVE-2021-44228 and CVE-2021-45046 to spread laterally within your network so you should proceed with caution," the researchers add.
According to Blumira's Warner, vulnerable VMWare Horizon servers that did not use antivirus such as Microsoft Defender would have been exploited successfully through this attack pattern.
"To protect against Log4j exploits, ensure that your host detection for exploitation of Cobalt Strike, Trickbot and related common attacker tools are functioning as intended and that you have the needed visibility to do so. It is of paramount importance to verify your exposed attack surface, especially for critical infrastructure like VMWare inside of your DMZ," Warner says.
The Huntress researchers have shared a set of recommendations to detect the mass exploitation of VMware Horizon servers and the installation of backdoor web shells. They say that users must consider the possibility that their server is compromised if it was unpatched and internet-facing.
George Papamargaritis, MSS operations director at Obrela Security Industries, recommends adopting best practices of application/service containment or segmentation to reduce the impact and disabling features or services that are not necessary to public-facing servers.
"Recent attack vectors have been published for public-facing services related to VMware Horizon, VMware Vcenter, VMware Workspace One, Mobile Iron, Unifi, Citrix XenMobile, and Fidelis CommandPost. Organizations need to proceed with implementing various process logging, detection and security-hardening measures to protect from existing attack vectors or new ones which remain unknown," he says.
Papamargaritis recommends using security monitoring services that have the right threat detection capabilities for backdoor detection, file integrity checking and application/service exploitation attempts, as well as the ability to combine - in real time - threat intelligence and vulnerability assessment reports.
"Reduce access to critical systems and data through network segmentation and zero trust network policy in the critical paths and minimize permissions of service accounts to public-facing servers. Also, performing regular scanning of the network to identify vulnerable applications or services is advised," Papamargaritis says.