Why VMware Horizon became a ‘top choice’ for Log4j attacks

VMware Horizon has turned into one of the most popular targets for attackers looking to exploit the vulnerability in Log4j — underscoring the need for updating any remaining unpatched systems and implementing security measures around its use.

For attackers, the virtual desktop platform offers an attractive combination of potential internet accessibility, wide use by well-endowed enterprises, and valuable corporate data once they’re inside.

Like many VMware products, Horizon leverages Apache Log4j, a common open source logging software component. That makes unpatched versions of the product susceptible to the easily exploited remote code execution vulnerability disclosed December 9.

Attacker activity

Since the disclosure, numerous reports have emerged of attackers exploiting vulnerable instances of VMware Horizon — including from Microsoft, CrowdStrike, and the U.K. National Health Service.

The most recent reports came this week, with BlackBerry researchers disclosing they have correlated attacks by an initial access broker group — known as “Prophet Spider” — with an exploit of the Log4j flaw in a VMware Horizon environment. Also in a report this week, Red Canary said it has observed activity by Prophet Spider related to a Log4j exploit of Horizon.

Starting in late December, Red Canary researchers observed a notable increase in threat actor exploits of vulnerable VMware Horizon servers. Combined with other reports, this suggests VMware Horizon “is a top choice for adversaries to narrow their Log4j targeting,” the Red Canary researchers said.

Cybersecurity executives told VentureBeat this week that VMware Horizon has been targeted so heavily for a combination of reasons — though the attackers have likely also benefitted from lax security practices around the use of the platform.

Remote access

During the transition to remote work during the pandemic, many companies exposed their VMware Horizon access gateways to the internet, according to Jimmy Astle, senior director of detection enablement at Red Canary. This enabled remote workers to leverage all of their corporate resources directly through their web browser.

“While connecting Horizon access gateways to the internet enabled remote work, it may have unintentionally increased the overall exposure to this vulnerability,” Astle said in an email.

The fact that a company is running VMware Horizon in the first place is also a sign that it might be a worthwhile target for an attacker, he said. Horizon software and the hardware required to run it are not cheap, meaning that “the companies using it are typically well-funded and attractive targets,” Astle said.

Even so, VMware Horizon enjoys wide usage among enterprises — another attractive element for attackers, executives said.

In fact, VMware Horizon is “quite possibly” the most widely used product with both Log4j and a strong potential for being internet-facing, said Jon Gaines, senior application security consultant at nVisium.

The wide use of VMware Horizon has thus given threat actors a large number of possible targets, while also being more efficient from the perspective of exploit creation.

Exploits against a given vulnerability often need to be tailored a specific product, “which means attackers are inclined to build exploits that can affect the greatest number of targets,” said Yaniv Bar-Dayan, cofounder and CEO at Vulcan Cyber.

‘Rich target’

Meanwhile, the features of VMware Horizon itself — as a platform for virtual desktops and applications — adds even more appeal for attackers.

“By compromising the Horizon instance, you can gain access to many virtual desktops and applications,” Gaines said in an email.

Access to multiple applications and virtual desktops “provides threat actors with valuable data,” as well as powerful hardware resources to mine cryptocurrencies, said Davis McCarthy, principal security researcher at Valtix.

With multiple hosts running in a single hypervisor, VMware Horizon is “a rich target by design,” McCarthy said in an email.

There are also good reasons why Horizon appears to have been targeted more than other VMware products, many of which have also contained Log4j. In other VMware products, the vulnerability has not been as easy to exploit — and required multiple steps in some cases, said Matthew Warner, cofounder and chief technology officer at Blumira.

VMware Horizon is vulnerable by executing a simple GET against any VMware Horizon server with a specifically modified header, Warner said in an email. “This resulted in a situation where attackers who would usually perform scan and exploit could quickly add VMware Horizon to their attack patterns.”

Vigorous response

For its part, VMware appears to have done what it could in responding to the issue so far, executives told VentureBeat.

The day after the Log4j vulnerability was disclosed, VMware released an advisory and began releasing patches and workarounds “very quickly,” Bar-Dayan said.

“VMware has done well here to enable their customer community to update and protect their systems,” he said.

Gaines agreed, saying he’s “impressed” by VMware’s response — which he noted has included publishing multiple blog posts and regular updates to its Log4j advisory.

McCarthy added that while VMware has offered “timely information on the vulnerability and what’s needed to remediate it” on its website, “this is not the case for other software vendors.”

In response to the reports that attackers have exploited vulnerable Horizon instances, VMware said that it has taken the situation around the Log4j vulnerability “very seriously.”

Organizations using on-premises software “must take their own affirmative steps to apply the security patch in their own environment,” the company noted.

“Even with VMware’s Security Alerts and continued efforts to contact customers directly, we continue to see that some companies have not patched,” VMware said in its statement. “VMware Horizon products are vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the information provided in our security advisory, VMSA 2021-0028, which was first published on Dec. 10, 2021, and updated regularly with new information.”

Customers that haven’t applied the patch, or the latest workaround provided in the VMware security advisory, “are at risk of being compromised — or may have already been compromised — by threat actors who are leveraging the Apache Log4shell vulnerability to actively compromise unpatched Horizon environments,” VMware said.

VMware also recommend that customers read its FAQ document and join the VMware Security-Announce mailing list to receive future advisories.

Internet-facing

The compromises of VMware Horizon are about more than just unpatched systems, however, cyber executives told VentureBeat.

Roger Koehler, vice president of threat operations at Huntress, noted that his firm’s research (using the Shodan search engine) has revealed approximately 25,000 VMware Horizon servers that have been accessible to the internet.

“If only 10% of these were vulnerable, that gives an attacker 2,500 Horizon servers to gain access into an environment,” Koehler said in an email.

Executives said they see few situations where a company would need to allow Horizon to be internet accessible without requiring additional security measures, such as a VPN and multi-factor authentication.

“There is almost never a situation where VMware Horizon should be internet-facing” without additional security in place, Warner said.

“If you want to make something easier to get to remotely, it should be behind a VPN to do so,” he said.

Another common mistake that’s made when opening up internal resources to the internet is forgetting to implement egress filtering rules, Astle said. Egress filtering allows you to control which ports are allowed to make outbound network connections from internet-facing machines, he said.

“This single step would significantly hinder an attacker’s success rate in exploiting this vulnerability,” Astle said.

Patching, of course, remains critical. While other security measures can help lower the risk involved with use of internet-accessible software, they’re no substitute for eliminating the vulnerability altogether, executives said.

“The biggest recommendation for VMware Horizon administrators is to follow VMware’s advice and make sure to patch their systems,” Koehler said.