Hackers still trying to compromise VMWare Horizon through Log4j bug, says Sophos

Share post:

Threat actors continue trying to compromise VMWare Horizon systems through unpatched vulnerabilities in applications’ Log4j2 Java libraries, say researchers at Sophos. In a report issued this week, the company says attempts to leverage Horizon and install cryptocurrency mining software or backdoors grew in January. And while the attempts have dropped off since then, they are continuing. “The largest wave of Log4j attacks aimed at Horizon that we have detected began January 19, and is still ongoing,” the report says. Unlike others, this wave doesn’t rely on an installed Cobalt Strike beacon back to the hackers. Instead, the cryptominer installer script is directly executed from the Apache Tomcat component of the Horizon server. Discovered in December, 2021, the vulnerability (CVE-2021-44228) enables a remote attacker to take control of a device on the internet through text messages if it runs certain versions of Log4j2. Apache had to issue four patches to address this and subsequently discovered holes. “Organizations should thoroughly research their exposure to potential Log4j vulnerabilities, as they may impact commercial, open-source and custom software that in some cases may not have regular security support,” says the Sophos report. “But platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily found and exploited with well-tested tools.” The report notes that VMWare issued patches for Horizon on March 8.  But, it adds, many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. “Even if they have,” the report says, “as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways.”
Organizations should ensure that they have defense in depth in place to detect and block malicious activity of all types on servers as well as clients, the report adds. Even after patches are applied, a full assessment of previously vulnerable systems for other potential malware or compromise—including off-the-shelf and commercial software of questionable origin — has to be done. Sophos found several different payloads being deployed to Horizon hosts targeted by these campaigns. These included the z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots. There were also several backdoors—including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused, Sophos says),  and several PowerShell-based reverse shells. While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the report says Jin bots were tied to use of Sliver, and used the same wallets as Mimo—suggesting these three pieces of malware were used by the same actor. The post Hackers still trying to compromise VMWare Horizon through Log4j bug, says Sophos first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Canada, U.S. sign international guidelines for safe AI development

Eighteen countries, including Canada, the U.S. and the U.K., today agreed on recommended guidelines to developers in their nations for the secure design, development, deployment, and operation of artificial intelligent systems. It’s the latest in a series of voluntary guardrails that nations are urging their public and private sectors to follow for overseeing AI in

Cyber Security Today, Nov. 27, 2023 – Ransomware gang posts data stolen from a Canadian POS provider, and more

This episode reports on the latest ransomware attacks, and details of how a gang that scams people selling used products on

Cyber Security Today, Week in Review for the week ending November 24, 2023

This episode features discussion on Australia's decision to not make ransowmare payments illegal, huge hacks of third-party service suppliers in Canada and the U.S. and whether email and smartphone service providers are doing enough to protect

Cyber Security Today, Nov. 24, 2023 – A warning to tighten security on Kubernetes containers, and more

This episode reports on the increasing number of vulnerable Kubernetes containers online, the latest acknowledged data breaches, a browser scam aimed at Macs

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways