December 6, 2023

VMware Horizon servers are used to enable secure anywhere, anytime access to enterprise apps for remote workers continue to be a main target for attackers exploiting the Apache Log4j RCE vulnerability that taken a swing during last year end.

Researchers from Sophos has observed a wave of attacks against vulnerable Horizon servers starting January 19, 2022, through now. Attacks have been seen installing cryptocurrency miners such as JavaX miner, Jin, z0Miner, XMRig variants, and other similar tools. Also ,attackers attempting to install backdoors as a Initial Access Brokers for maintaining persistent access on compromised systems.


The UK NHS was one of the first to warn about attacks targeting VMware Horizon servers containing the Log4j vulnerability (CVE-2021-44228).

In a January alert, NHS Digital, said it had observed an unknown threat actor exploiting the Log4J RCE vulnerability in the Apache Tomcat service embedded within VMware Horizon to install a Web shell on compromised systems. Attackers could use the Web shell to carry out a range of malicious activities, including deploying ransomware and other malware, and to steal data from compromised healthcare systems and networks.

VMware issued an updated version of VMware Horizon server that addressed the vulnerability back in December 2021 urging organizations using the technology to upgrade to the fixed version, citing the severity of the Log4j flaw and the potential for abuse. The company also released updates for numerous other products that contained vulnerable versions of Log4j.

There is also considerable fear that attackers have already exploited the flaw to gain access to many organizations that simply have not discovered the intrusions yet.

Attackers in some instances exploiting the vulnerability in the Tomcat service to execute a PowerShell script for dropping the Cobalt Strike reverse-shell tool on infected systems. In other instances, the attackers bypassed Cobalt Strike and targeted the Tomcat server in VMware Horizon to drop the Web shell.


These included cryptocurrency miners and several backdoors, including legitimate products such as the Atera agent and Splashtop Streamer.

Organizations should conduct a full review of their software and determine whether they still have unaddressed vulnerabilities to Log4Shell. Breaches need to be sweeped out quickly before a havoc

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.