Connect with us

Hi, what are you looking for?


Application Security

Attackers Hitting VMWare Horizon Servers With Log4j Exploits

Threat hunters in the U.K.’s National Health Service have raised an alarm for an unknown threat actor hitting vulnerable VMWare Horizon servers with exploits for the ubiquitous Log4j security flaw.

Threat hunters in the U.K.’s National Health Service have raised an alarm for an unknown threat actor hitting vulnerable VMWare Horizon servers with exploits for the ubiquitous Log4j security flaw.

The warning comes almost exactly one month after the first disclosure of a Log4j remote code execution vulnerability that threatens major damage on the internet and heightens the urgency for enterprise defenders to find and fix the issue.

According to an advisory from NHS Digital, attackers are exploiting the critical vulnerability in the Apache Tomcat service embedded within VMware Horizon.  

The NHS Digital team believes the attacks are being used to establish persistence within affected networks and noted that the attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory Interface (JNDI) via Log4Shell payloads to call back to malicious infrastructure.

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service,” according to the alert.

[ READ: Exploits Swirling for Major Security Defect in Apache Log4j ]

“The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware,” it added.

VMWare has already shipped high-priority patches for numerous products affected by Log4j and previously acknowledged scanning attempts to identify signs of vulnerable installations.

Advertisement. Scroll to continue reading.

On the targeted VMware Horizon platform, which is used by enterprises to run virtual desktops and apps across the hybrid cloud, the Log4j vulnerability carries a 10-out-of-10 critical rating.

The NHS Digital team also cautioned that additional VMware systems may be vulnerable and affected organisations should regularly review the VMSA-2021-0028 security advisory.

[READ: Microsoft Spots Multiple Nation-State APTs Poking at Log4j Flaw ]

Using artifacts from the VMWare Horizon attacks, security experts are urging organizations to look for evidence of ws_TomcatService.exe spawning abnormal processes, or any powershell.exe  processes containing ‘VMBlastSG’ in the command line.

Microsoft and others have previously warned that APT actors linked to China, Iran, North Korea and Turkey have already pounced and are actively exploiting the Log4j security defect. 

In a warning late last year, Redmond said nation-state threat actor activity ranged from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve specific objectives.

Related: Google Finds 35,863 Java Packages Using Defective Log4j

Related: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw

Related: Log4Shell Tools and Resources for Defenders (Continuously Updated)

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.