Threat actors continue trying to compromise VMWare Horizon systems through unpatched vulnerabilities in applications’ Log4j2 Java libraries, say researchers at Sophos.
In a report issued this week, the company says attempts to leverage Horizon and install cryptocurrency mining software or backdoors grew in January. And while the attempts have dropped off since then, they are continuing.
“The largest wave of Log4j attacks aimed at Horizon that we have detected began January 19, and is still ongoing,” the report says. Unlike others, this wave doesn’t rely on an installed Cobalt Strike beacon back to the hackers. Instead, the cryptominer installer script is directly executed from the Apache Tomcat component of the Horizon server.
Discovered in December, 2021, the vulnerability (CVE-2021-44228) enables a remote attacker to take control of a device on the internet through text messages if it runs certain versions of Log4j2. Apache had to issue four patches to address this and subsequently discovered holes.
“Organizations should thoroughly research their exposure to potential Log4j vulnerabilities, as they may impact commercial, open-source and custom software that in some cases may not have regular security support,” says the Sophos report. “But platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily found and exploited with well-tested tools.”
The report notes that VMWare issued patches for Horizon on March 8. But, it adds, many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. “Even if they have,” the report says, “as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways.”
Organizations should ensure that they have defense in depth in place to detect and block malicious activity of all types on servers as well as clients, the report adds. Even after patches are applied, a full assessment of previously vulnerable systems for other potential malware or compromise—including off-the-shelf and commercial software of questionable origin — has to be done. Sophos found several different payloads being deployed to Horizon hosts targeted by these campaigns. These included the z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots.
There were also several backdoors—including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused, Sophos says), and several PowerShell-based reverse shells.
While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the report says Jin bots were tied to use of Sliver, and used the same wallets as Mimo—suggesting these three pieces of malware were used by the same actor.