Log4j flaw: Attackers are targeting Log4Shell vulnerabilities in VMware Horizon servers, says NHS

The UK's National Health Service (NHS) has issued a warning that hackers are actively targeting Log4J vulnerabilities and is recommending that organisations within the health service apply the necessary updates in order to protect themselves. 

An advisory by NHS Digital says that an 'unknown threat group' is attempting to exploit a Log4j vulnerability (CVE-2021-44228) in VMware Horizon servers to establish web shells that could be used to distribute malware and ransomware, steal sensitive information, and complete other malicious attacks. 

It's unclear if the warning has been issued because attacks targeting NHS systems have been detected, or if the advisory has been released as a general precaution because of the ongoing problem of the critical security vulnerability in Java logging library Apache Log4j that was disclosed in December. 

SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse

"We are aware of an exploit and are actively monitoring the situation. We will support our partners with the system response to this critical vulnerability and will continue to provide guidance to NHS organisations," an NHS spokesperson told ZDNet. 

The attacks being warned against exploit the Log4Shell vulnerability in the Apache Tomcat service embedded within VMware Horizon. Once the weaknesses have been identified, the attack uses the Lightweight Directory Access Protocol (LDAP) to execute a malicious Java file that injects a web shell into the VM Blast Secure Gateway service 

If successfully exploited, attackers can establish persistence on the affected networks and use this to carry out a number of malicious activities. 

NHS Digital recommends that organisations known to be running Horizon servers take the appropriate action and apply the necessary patches in order to ensure networks can resist attempted attacks. 

"Affected organisations should review the VMware Horizon section of the VMware security advisory VMSA-2021-0028 and apply the relevant updates or mitigations immediately," said the alert. 

Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there's a wide range of software in organisations around the world that could be at risk from attempts to exploit the vulnerability. 

Cyber criminals were quick to scan for vulnerable systems after the vulnerability was disclosed. Many took the opportunity to launch attacks including malware and ransomware campaigns. Attackers are still actively exploiting the vulnerability, Microsoft has warned. 

It's feared that the widespread use of Log4j in open-source software – to the extent that there's the potential that an organisation might not know it's even part of the ecosystem – could result in the vulnerability being a problem for years to come. 

The UK's National Cyber Security Centre (NCSC) is among those organisations that have issued advice to IT teams on how to manage Log4j vulnerabilities in the long run. 

MORE ON CYBERSECURITY

• Log4j flaw: Attackers are 'actively scanning networks' warns new CISA guidance
• Log4j flaw: This new threat is going to affect cybersecurity for a long time
• Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerability
• Khonsari ransomware, Nemesis Kitten are exploiting Log4j vulnerability
• Log4j: Conti ransomware attacking VMware servers and TellYouThePass ransomware hits China