Attackers continue to target VMware Horizon servers, which many organizations use to securely access enterprise apps for remote workers. Attackers are exploiting the critical Apache Log4j remote code execution vulnerability that came to the fore in December 2021.
Sophos researchers identified a wave of attacks against vulnerable Horizon servers beginning January 19, 2022, and continuing till now. In several attacks, threat actors attempted to plant cryptocurrency miners such as JavaX miner, Jin, z0Miner, XMRig variants, and other similar miners. But in other attacks, Sophos stated that attackers attempted to install backdoors for maintaining access to compromised systems.
The security vendor said that its evaluation indicates attackers using backdoors as initial access brokers (IABs) for providing other threat actors, with access to compromised networks, for a fee. Ransom operators have used IABs extensively recently. The current attacks against VMware Horizon may be a harbinger of ransomware attacks targeting Log4j flaws in old versions of VMware Horizon server, Sophos said.
“The Web shells appear to be connected in some cases with known IAB methods and infrastructure,” says Scott Barlow, vice president of global MSP at Sophos. “The shells they dropped would provide initial access for anyone they sold access to and could also be used for credential harvesting.”
The UK National Health Service (NHS) had warned about the attacks against VMware Horizon servers having the Log4j vulnerability (CVE-2021-4428)
In January, NHS Digital—which maintains and runs IT infrastructure and services for healthcare entities in the United kingdom—stated it had noticed an unknown threat actor exploiting the Log4j RCE vulnerability in the Apache Tomcat service entombed in VMware Horizon to install a Web shell on affected systems. Attackers through the Web shell execute a range of malicious activities, including planting ransomware and other malware and pilfering data from compromised healthcare systems and networks.
In December 2021, VMware released an updated version of VMware Horizon server that patched the vulnerability. It advised the organisations to update their software given the seriousness of the Log4j flaw.
Apache had identified the Log4j vulnerabilities in December 2021: CVE-202104428 is the most critical of the three vulnerabilities. The flaws relate to a JNDI (Java Naming and Directory Interface) lookups feature that is enabled by default in many versions of log4j from Log4j 2.0-beta9 to Log4j 2.14.1. The vulnerability allows attackers to gain complete control of the vulnerable system, and it’s considered a serious flaw because it affects almost every Java application and is easy to exploit.
Contrary to the popular assumption, attacks entailing log4j vulnerability have been few since the flaw was disclosed. However, many security experts expect attackers to continue exploiting the flaws in future because of the difficulty to detect and fix the flaw by organisations. Further, it is also said that many organisations are unaware of flaws in their system, which is being exploited by attackers.
Sophos stated that they have found, in some cases, attackers exploiting the vulnerability in the Tomcat service to execute a PowerShell script for planting the Cobalt Strike reverse-shell tool on affected systems. In other cases, the attackers circumvented Cobalt Strike and used the Tomcat server in VMware Horizon to plant the Web shell.
We found several different payloads being deployed to Horizon hosts targeted by these campaigns,” Sophos said.
These included cryptocurrency miners and several backdoors, including legitimate products such as the Atera agent and Splashtop Streamer.
“These are commercial remote management tools,” Barlow says. “They are frequently abused by ransomware operators because they can be used to securely deploy and launch any software via the agent and appear to be from legitimate sources.”