Attacks on VMWare Horizon servers with log4j vulnerability

Sicherheit (Pexels, allgemeine Nutzung)[German]The consequences of the vulnerability discovered in the JAVA library log4j at the end of 2021 are slowly becoming visible. The UK National Health Service (NHS) IT specialists observe that an unknown threat group is targeting VMWare Horizon servers with the log4Shell vulnerability in order to install web shells for future attacks.


I had reported a critical vulnerability in the JNDI lookup function of the Java library log4j used for logging in the article 0-day CVE-2021-44228 in Java library log4j puts many projects at risk. This software is integrated in many other products. Thousands of services from Apple, Amazon, Twitter, Minecraft, etc. are vulnerable via this vulnerability. And first attacks on honeypots were observed promptly.

Until now, however, it was not clear whether this could become the "big bang" of IT at the end of 2021. Attacks on Mindcraft servers have been spotted, and the German Federal Finance Court and the Belgian Ministry of Defense have also been hit (see links at the end of the article). But the really big wave of hacks has so far failed to materialize.

British NHS observes attacks

Now the IT of the British National Health Service (NHS) or its security team is sounding the alarm. The UK NHS security team is observing that an unknown threat group is attacking VMWare Horizon servers with the Log4Shell vulnerability in order to install web shells for future attacks. observe. This is pointed out by Catalin Cimpanu in the following tweet.

NHS sees attacks on VMWare Horizon servers with the Log4Shell vulnerability

The NHS alert is available here. IT specialists believe the attack is likely still in an exploratory phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to invoke its malicious infrastructure.


Once a vulnerability is identified in the target system, the attack uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service of the VMWare Horizon Server. The web shell can then be used by an attacker to perform a range of malicious activities, such as deploying additional malicious software, exfiltrating data or delivering ransomware.

The security folks document these attacks in their alert message and write that Defender detects these attacks with VMBlastSG. The folks also give PowerShell commands to detect modified files from the attackers. Affected organizations should read the VMware Horizon section of VMware Security Advisory VMSA-2021-0028 and apply the appropriate updates or remediation immediately, or then read NHS Digital High Severity Cyber Alert CC-3995.

Similar articles:
0-day CVE-2021-44228 in Java library log4j puts many projects at risk
log4j vulnerability CVE-2021-44228: Patch your Minecraft
VMware products threatened by log4j vulnerability CVE-2021-44228
log4j FAQ and Repository
Log4j-News (2021/12/18)
Belgian Ministry of Defense affected by Log4j?
QNAP firmware update version QTS build 20211221 and log4j vulnerability
Log4j security messages (12/28/2021)
Windows Defender: Fixes, Issues and Log4j scanner false alarms
RCE vulnerability – similar to log4j – discovered in H2 (Java) database system

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *