VMware advises customers to patch significant Log4j security vulnerabilities that affect Internet-exposed VMware Horizon servers targeted in ongoing cyberattacks. According to the latest NHS Digital study concerning VMware Horizon systems hacked with Log4Shell vulnerabilities, threat actors deploy custom web shells into the VM Blast Secure Gateway service after successful exploitation to obtain access to companies’ networks.
This allows them to engage in various destructive behaviors, such as data exfiltration and the distribution of other malware payloads like ransomware. Microsoft also warned two weeks ago about a Chinese-speaking threat actor known as DEV-0401 who uses Log4Shell flaws to install Night Sky ransomware on Internet-exposed VMware Horizon servers.
“Even with VMware’s Security Alerts and continued efforts to contact customers directly, we continue to see that some companies have not patched,” said Kerry Tuttle, VMware’s Corporate Communications Manager. “VMware Horizon products are vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the information provided in our security advisory, VMSA 2021-0028, which was first published on Dec. 10, 2021, and updated regularly with new information.”
VMware’s call to action comes after the Netherlands’ National Cybersecurity Centre (NCSC) issued a similar warning last week, asking Dutch enterprises to be watchful in the face of constant dangers posed by Log4j attacks. Malicious actors will continue to look for weak servers to breach in targeted attacks, as per the Dutch government agency, which advised organizations to implement Log4j security patches or mitigation measures as needed.
According to Shodan, there are thousands of Internet-exposed VMware Horizon servers that all need to be patched against Log4j exploitation efforts. Security vulnerabilities in Log4j (including Log4Shell) constitute a very enticing attack vector for state-sponsored and financially motivated attackers because the open-source Apache logging library is used in software from several vendors.
The remote code execution (RCE) vulnerability in Log4Shell, in particular, may be exploited remotely on servers with local or Internet connection to allow attackers to traverse laterally across a network until they obtain access to sensitive internal systems. Multiple threat actors, including state-backed hacking organizations from China, Iran, North Korea, Turkey, and access brokers used by ransomware groups, began employing Log4Shell vulnerabilities in the wild after its exposure.
Tuttle revealed that when vulnerabilities are found as wide-ranging as Log4j, it’s vital that all impacted users act immediately to apply security fixes. Customers are strongly urged to go to VMSA-2021-0028 and follow the instructions for Horizon.