The UK's National Health Service has issued a warning that "unknown threat actors" are working to exploit vulnerable VMware Horizon servers to set up webshells in their victims, thereby establishing persistence in their targets. The versions under active exploitation include Horizons Connection Server (64bit) 2006-2111, 7.13.0-7.13.1, and 7.10.0-7.10.3.
VMware was quick to respond to notification of Log4j vulnerabilities, and its products have received appropriate upgrades. Nonetheless, as the Record points out, a non-negligible number of users haven't yet updated their software, and the threat actors are misbehaving accordingly.
NHS doesn't identify the threat actor whose behavior it describes, and indeed there may not be any single actor responsible for the attempts. Duo Security's Decipher says that there are more than one bad actor engaged in this kind of exploitation: "[S]ince the first disclosures of the Log4j bug a wide variety of attack groups have been exploiting it. APT groups, lone actors, and cybercrime groups all have been seen exploiting one or more of the Log4j flaws that have been disclosed in the last few weeks."
Duo's Decipher also points out that, while the US Cybersecurity and Infrastructure Security Agency (CISA) has indicated that the agencies it oversees are now in general compliance with Emergency Directive 22-02 (Mitigate Apache Log4j Vulnerability), the agency has been tight-lipped about details of compliance. This is understandable in what CISA characterized to MeriTalk yesterday as an ongoing process of remediation, and the agency intends to issue a cross-agency status report by February 15th.
The experience of finding and fixing Log4j vulnerabilities has demonstrated how complex the software supply chain is, and how complicated the process of vetting it will inevitably be. As ZDNet puts it in writing about this particular case, "the Log4j flaw for Java web applications will haunt tech people for years." An essay in POLITICO argues, in part, that Log4j has exposed the limitations of the self-correcting, evolutionary model of security that's long informed the open-source community's practices.