VMware is urging customers to patch their VMware Horizon instances as these systems have been targeted in a recent wave of attacks exploiting the Log4Shell vulnerability.
Tracked as CVE-2021-44228, the security flaw was identified in early December 2021 in the Apache Log4j logging utility, and has since been exploited in attacks by both cybercriminals and state-sponsored threat actors.
Soon after the vulnerability was discovered, VMware confirmed that Horizon products are impacted and released patches, yet customers are slow in applying these patches.
Now, the company says that, despite its efforts, attackers are successful in compromising organizations by targeting VMware Horizon products that haven’t been patched against Log4Shell.
“VMware Horizon products are vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the information provided in our security advisory, VMSA 2021-0028, which was first published on Dec. 10, 2021 and updated regularly with new information,” VMware said in an alert.
“Customers who have not applied either the patch or the latest workaround provided in VMware’s security advisory are at risk of being compromised—or may have already been compromised—by threat actors who are leveraging the Apache Log4shell vulnerability to actively compromise unpatched, internet-facing Horizon environments,” the company continues.
While SaaS products are immediately patched by the company providing the software, organizations using on-premises software products need to apply the available security updates on their own, VMware notes.
The company says it has been in contact with customers directly to guide them through the patching process, but some organizations have not patched yet. VMware urges these customers to implement the security updates as soon as possible, in response to Log4j vulnerability exploitation.
BlackBerry too has observed an increase in the number of Log4j attacks targeting the Tomcat service used by VMware Horizon and says that organizations can reliably detect potential compromise by “monitoring child processes of the ws_TomcatService.exe parent process.”
Following the initial compromise, PowerShell commands are used to download a second-stage payload, which may include cryptomining malware, ransomware, or other malicious tools. In some cases, a Cobalt Strike beacon was deployed.
BlackBerry believes that the attacks were conducted by an initial access broker (IAB) tracked as Prophet Spider. After compromising enterprise networks, the threat actor usually sells access to ransomware operators.
“When an initial access broker group takes interest in a vulnerability whose scope may never be known, this gives us a good indication that they see significant value in its exploitation. It’s likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability in the near future, as IT teams and users continue to scramble to address these vulnerabilities,” BlackBerry concludes.