The UK’s National Health Service (NHS) has issued a warning that hackers are actively targeting Log4J vulnerabilities and is recommending that organisations within the health service apply the necessary updates in order to protect themselves. 

An advisory by NHS Digital says that an ‘unknown threat group’ is attempting to exploit a Log4j vulnerability (CVE-2021-44228) in VMware Horizon servers to establish web shells which could be use to distribute malware, ransomware, steal sensitive information and other malicious attacks. 

It’s unclear if the warning has been issued because attacks targeting NHS systems have been detected, or if the advisory has been released as a general precaution because of the ongoing problem of the critical security vulnerability in Java logging library Apache Log4j which was disclosed in December

“We are aware of an exploit and are actively monitoring the situation. We will support our partners with the system response to this critical vulnerability and will continue to provide guidance to NHS organisations,” an NHS spokesperson told ZDNet. 

The attacks being warned against exploit the Log4Shell vulnerability in the Apache Tomcat service embedded within VMware Horizon. Once the weaknesses have been identified, the attack uses the Lightweight Directory Access Protocol (LDAP) to execute a malicious Java file that injects a web shell into the VM Blast Secure Gateway service 

If successfully exploited, attackers can establish persistence on the affected networks and use this to carry out a number of malicious activities. 

NHS Digital recommends that organisations known to be running Horizon servers take the appropriate action and apply the necessary patches in order to ensure networks can resist attempted attacks. 

“Affected organisations should review the VMware Horizon section of the VMware security advisory VMSA-2021-0028 and apply the relevant updates or mitigations immediately,” said the alert

Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software in organisations around the world which could be at risk from attempts to exploit the vulnerability. 

Cyber criminals were quick to scan for vulnerable systems after the vulnerability was disclosed and a variety of cyber criminals and many took the opportunity to launch attacks including malware and ransomware campaigns. Attackers are still actively exploiting the vulnerability, Microsoft has warned

It’s feared that the widespread use of Log4j in open-source software – to the extent that there’s the potential that organisations may not know it’s even part of the ecosystem – could result in the vulnerability being a problem for years to come

The UK’s National Cyber Security Centre (NCSC) is among those which have issued advice to organisations on how to manage Log4j vulnerabilities in the long run.