VMware urges customers to patch VMware Horizon servers against Log4j attacks

Pierluigi Paganini January 26, 2022

VMware released security patches to address critical Log4j security vulnerabilities in VMware Horizon servers targeted in ongoing attacks.

VMware urges customers to patch critical Log4j security vulnerabilities impacting Internet-exposed VMware Horizon servers targeted in ongoing attacks.

Searching for Internet-exposed VMware Horizon servers with Shodan, we can find tens of thousands of installs potentially exposed to attacks.

This month, the Night Sky ransomware operation started exploiting the Log4Shell flaw (CVE-2021-44228) in the Log4j library to gain access to VMware Horizon systems.

In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.


Recently, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.

The security team at the UK National Health Service (NHS) also announced to have spotted threat actors exploiting the Log4Shell vulnerability to hack VMWare Horizon servers and install web shells.

“An unknown threat group has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within affected networks.” reads the security advisory published by NHS.

“The attack likely consists of a reconnaissance phase, where the attacker uses theJava Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure. Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

Once installed a web shell, threat actors can use it to carry out a broad range of malicious activities, such as deploying data exfiltration or deployment of ransomware.

Upon exploiting log4J flaws, threat actors deploy custom web shells into the VM Blast Secure Gateway service to gain access to the networks of target organizations.

In an email to Bleeping Computer today, VMware said they are strongly urging customers to patch their Horizon servers to defend against these active attacks.

Multiple VMWare products, including VMware Horizon products, are impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046).

Recently the Dutch National Cybersecurity Centre (NCSC) warned organizations to remain vigilant on possible attacks exploiting the Log4J vulnerability. According to the Dutch agency, threat actors the NCSC will continue to attempt to exploit the Log4Shell flaw in future attacks.

“Partly due to the rapid actions of many organizations, the extent of active abuse appears to be not too bad at the moment. But that doesn’t mean it stops there. It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period. It is therefore important to remain vigilant.” states the Dutch NCSC agency. “The NCSC advises organizations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary. In addition, the NCSC advises directors to stay alert by informing themselves about Log4j and the possible impact of abuse on business continuity.”

The risk that cybercriminal groups and nation-state actors could exploit Log4j vulnerabilities in future attacks is still high.

The virtualization giant urges customers to examine VMSA-2021-0028 and apply the guidance for Horizon. VMware published a dedicated Guidance to VMware Horizon customers regarding Log4j.

“In a zero-day situation such as the Apache Software Foundation Log4j vulnerability, cyber criminals are racing to exploit the vulnerabilities identified by CVE-2021-44228 and CVE-2021-45046 before organizations can address them. We continue to amplify the message in our security advisory, VMSA-2021-0028, urging customers to address the vulnerability immediately, including with VMware Horizon 8 and Horizon 7.x.” reads the guidance. “While most customers have followed the guidance, those who have not done so remain at risk.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VMware Horizon)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment