A month after the details of the initial Apache Log4j vulnerability surfaced, attacks against applications running vulnerable versions of the tool are continuing, including a recent spate of attacks targeting VMware Horizon servers by an unidentified threat group.
VMware Horizon server versions 8.x and 7.x are vulnerable to two of the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046) and officials with the UK’s National Health Service Digital said that an attack group is exploiting those two flaws in order to install webshells on compromised servers in order to maintain persistence. The use of webshells is an increasingly popular technique for attackers looking for a simple method of maintaining persistence on Internet-facing servers that they compromise. They are simple, small files that can easily go unnoticed on a server and give an attacker remote access and the ability to execute further commands on the machine. Since the beginning of the Log4j saga in early December, various attackers have been installing webshells after exploiting one of the various flaws in the logging service.
The attacks targeting vulnerable VMware Horizon servers are specifically exploiting the Apache Tomcat service running on those servers. The attackers are using a specific PowerShell command spawned from the Tomcat service.
“The executed command invokes Get-WMIObject on win32_service, returning a list of service names containing 'VMBlastSG'. It identifies the file path for the service, replaces instances of 'nssm.exe' with 'lib/absg-worker.js' and writes this path to $path, thereby identifying the location of the 'absg-worker.js' file for the targeted VMware Horizon instance,” the advisory from NHS Digital says.
“This writes a code block to $expr that listens for any web requests containing a specific, hardcoded string in the URI before executing arbitrary commands contained in the 'data' header object. The output is delivered to the attacker via 'replyError' where requests contained the specified string, otherwise a standard error message is returned.”
Eventually the attackers restart the VMBLastSG service in order to start a listener that communicates with the command-and-control server. The listener will run commands from the server that contain a specific hardcoded key.
“The commands are stored as a header object (named 'data') in the crafted requests. This process is used to establish persistent communication with a command and control server that could then be used to carry out other malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware,” the advisory says.
The NHS Digital team has not identified the threat group that is targeting VMware Horizon servers in these attacks, but since the first disclosures of the Log4j bug a wide variety of attack groups have been exploiting it. APT groups, lone actors, and cybercrime groups all have been seen exploiting one or more of the Log4j flaws that have been disclosed in the last few weeks. There have been some reports of isolated ransomware attacks following exploitation of Log4j bugs, but the widespread ransomware wave that many researchers feared might hit has not materialized yet.