Cybercriminals Launching Log4Shell Attacks on VMware Software

The United Kingdom’s National Health Service (NHS) has issued an alert of Log4Shell attacks on VMware software.

The cyber alert service says an unknown threat group is attempting to exploit a log4j vulnerability in VMware Horizon servers to establish a presence within affected networks. If successful, attackers could steal data or deploy ransomware.

VMware confirmed the exploitation attempts.

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java naming and directory interface (JNDI) via Log4Shell payloads to call back to malicious infrastructure,” the NHS alert said. “Once a weakness has been identified, the attack then uses the lightweight directory access protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the (VMware) Blast Secure Gateway service.”

The web shell can then be used by an attacker to carry out a number of malicious activities, it said. Those include deploying additional malicious software, data exfiltration or deployment of ransomware.

VMware a ‘Natural Target’

Emil Sayegh is CEO of Ntirety, a data security and regulatory compliance provider.

“Log4Shell is an internet vulnerability that affects hundreds of millions of computers and devices,” he said. “It involves the manipulation of a ubiquitous piece of software called log4j that is used to record all activities that go on behind the scenes in a wide range of software and computer systems. As such, attackers usually focus on what is most commonly used. VMWare is a natural target since 75% of all server virtualization is done through it. Organizations that have poor or sporadic patching practices are especially being impacted by this broad vulnerability.”

There is no easy fix, Sayegh said. Servers and devices must be patched.

Log4Shell is part of the software supply chain, he said. Therefore it’s very hard to know if it is on a certain system.

“Given that the vulnerability was made known right before the holidays, it appears that many organizations are still unprotected either due to vacations, or even absences due to … Omicron,” Sayegh said. “It is not a matter of paying attention, but more an issue of available talent and time to remedy the situation by patching every single device. This is one of the main reasons why organizations should outsource their security to a managed security provider that can comprehensively patch, alert, monitor, protect and mitigate threats such as Log4Shell.”

Commonly Used Platforms Most Targeted

VMware has a shorter list of vulnerabilities than other vendors, Sayegh said. However, there is nothing in VMware software that makes it immune to Log4shell.

“VMware is simply a virtualization platform, with software that could potentially contain log4j above or below its stack,” he said.

Albert Zhichun Li is vice president of engineering at Stellar Cyber.

Stellar Cyber’s Albert Zhichun Li

“Overall, log4j vulnerabilities are relatively easy to exploit and not too hard to defend,” he said. “The bar is low, and any attacker is capable of using Log4Shell. Every vendor needs to scan their potential java components, especially web services, in this case Tomcat, and offer urgent patches. All businesses need to keep security hygiene by patching the service or restricting the access.”

Stephanie Simpson is vice president of product management at Scythe.

Scythe’s Stephanie Simpson

“Ransomware gangs, like Conti, will continue to try to use Log4Shell vulnerabilities, especially as companies need to continue product development in the aftermath of this vulnerability being discovered,” she said. “To protect customers from these new tactics, techniques and procedures (TTPs), companies need to test and validate there are no holes in the software before it is pushed to production.”