VMware is advising customers to patch their VMware Horizon instances after a recent round of assaults leveraging the Log4Shell flaw.
The security hole, known as CVE-2021-44228, was discovered in the Apache Log4j logging programme in early December 2021 and has since been exploited by both cybercriminals and state-sponsored threat actors.
VMware confirmed that Horizon products are affected and offered updates shortly after the vulnerability was found, however customers have been hesitant to implement these upgrades.
Despite the business’s efforts, attackers have been effective in compromising organisations by targeting VMware Horizon products that haven’t been patched against Log4Shell, according to the company.
“VMware Horizon products are vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the information provided in our security advisory, VMSA 2021-0028, which was first published on Dec. 10, 2021 and updated regularly with new information,” according to VMware.
“Customers who have not applied either the patch or the most recent workaround provided in VMware’s security advisory are at risk of being compromised—or may already have been compromised—by threat actors who are actively compromising unpatched, internet-facing Horizon environments using the Apache Log4shell vulnerability,” the company continues.
While SaaS products are patched instantly by the software provider, enterprises employing on-premises software must implement the available security upgrades on their own, according to VMware.
Customers have been contacted directly by the corporation to advise them through the patching procedure, although some organisations have yet to patch. In response to the exploitation of the Log4j vulnerability, VMware strongly advises these customers to apply the security patches as soon as feasible.
BlackBerry, too, has seen a surge in Log4j assaults targeting the Tomcat service used by VMware Horizon, and states that monitoring child processes of the ws TomcatService.exe parent process can reliably detect possible penetration.
PowerShell instructions are used after the initial penetration to download a second-stage payload, which could comprise cryptomining malware, ransomware, or other malicious tools. A Cobalt Strike beacon was used in some circumstances.
BlackBerry thinks the assaults were carried out by Prophet Spider, an initial access broker (IAB). The threat actor frequently sells access to ransomware operators after breaching company networks.
“When an initial access broker group expresses interest in a vulnerability whose extent is unknown, it’s a good sign that they see significant value in exploiting it.” As IT teams and users hurry to remedy these vulnerabilities, we’re likely to see criminal groups examining the potential presented by the Log4Shell issue in the near future,” BlackBerry adds.