Hackers still trying to compromise VMWare Horizon through Log4j bug, says Sophos

Share post:

Threat actors continue trying to compromise VMWare Horizon systems through unpatched vulnerabilities in applications’ Log4j2 Java libraries, say researchers at Sophos. In a report issued this week, the company says attempts to leverage Horizon and install cryptocurrency mining software or backdoors grew in January. And while the attempts have dropped off since then, they are continuing. “The largest wave of Log4j attacks aimed at Horizon that we have detected began January 19, and is still ongoing,” the report says. Unlike others, this wave doesn’t rely on an installed Cobalt Strike beacon back to the hackers. Instead, the cryptominer installer script is directly executed from the Apache Tomcat component of the Horizon server. Discovered in December, 2021, the vulnerability (CVE-2021-44228) enables a remote attacker to take control of a device on the internet through text messages if it runs certain versions of Log4j2. Apache had to issue four patches to address this and subsequently discovered holes. “Organizations should thoroughly research their exposure to potential Log4j vulnerabilities, as they may impact commercial, open-source and custom software that in some cases may not have regular security support,” says the Sophos report. “But platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily found and exploited with well-tested tools.” The report notes that VMWare issued patches for Horizon on March 8.  But, it adds, many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. “Even if they have,” the report says, “as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways.”
Organizations should ensure that they have defense in depth in place to detect and block malicious activity of all types on servers as well as clients, the report adds. Even after patches are applied, a full assessment of previously vulnerable systems for other potential malware or compromise—including off-the-shelf and commercial software of questionable origin — has to be done. Sophos found several different payloads being deployed to Horizon hosts targeted by these campaigns. These included the z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots. There were also several backdoors—including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused, Sophos says),  and several PowerShell-based reverse shells. While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the report says Jin bots were tied to use of Sliver, and used the same wallets as Mimo—suggesting these three pieces of malware were used by the same actor. The post Hackers still trying to compromise VMWare Horizon through Log4j bug, says Sophos first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, Week in Review for week ending Friday May 17, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, May 17th,...

Cyber Security Today, May 17, 2024 – Malware hiding in Apache Tomcat servers

Malware hiding in Apache Tomcat servers, new backdoors found, and more Welcome to Cyber Security Today. It's Friday, May...

MIT students exploit blockchain vulnerability to steal 25 million dollars

Two MIT students have been implicated in a highly sophisticated cryptocurrency heist, where they reportedly exploited a vulnerability...

Cyber Security Today, May 15, 2024 – Ebury botnet still exploits Linux servers, Microsoft, SAP and Apple issue security updates

The Ebury botnet continues to exploit Linux servers, Microsoft, SAP and Apple issue security updates, and more. Welcome to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways