• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

VMware Horizon Servers Still Under Log4Shell Attacks

Hackers are still using the Log4Shell exploit to attack VMware Horizon servers and deploy cryptominers and backdoors, according to Sophos.

March 29, 2022 Zachary Comeau Leave a Comment

Log4Shell, Log4j, CVE-2021-44228
stock.adobe.com/Jaiz Anuar

Hackers are continuing to leverage the Log4Shell vulnerability to attack VMware Horizon servers and deploy cryptocurrency mining malware and backdoors, with a large wave of such attacks from mid-January still ongoing, according to cybersecurity firm Sophos.

In a new report, Sophos says the attempts to leverage Horizon continued and grew in number throughout January and were frequently associated with attempts to deploy crypto miners, but others appeared to be associated with initial access brokers or ransomware gangs.

Log4Shell is a critical vulnerability that exists in Log4j, a popular Java logger that uses the Lightweight Directory Access Protocol (LDAP) resource. However, attackers can use that resource to retrieve a malicious Java class file that modified existing legitimate Java code, adding a web shell that provides remote access and code execution to the attackers. Those attacks were observed since the beginning of January, Sophos says in the report, published Tuesday.

A large wave of attacks began on Jan. 14, some of which used Cobalt Strike to stage and execute the cryptominer payloads. However, the largest wave of Log4Shell exploits aimed at Horizon detected by Sophos began Jan. 19, and this wave did not rely on Cobalt Strike. Instead, the crypto miner installer script is directly executed from the Apache Tomcat component of the Horizon server, the report says.

According to Sophos, earlier attacks had a typical process trace that shows them starting from the Tomcat service executable and ending with the execution of the PowerShell script, which executes a standard Cobalt Strike reverse shell.

However, other exploits bypass the use of Cobalt Strike altogether and use Log4Shell to directly target the Tomcat server within Horizon.

The payloads deployed to Horizon hosts range from various cryptocurrency miners including z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots.

In addition, Sophos discovered several backdoors being used, including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused), along with several PowerShell-based reverse shells.

While some payloads were downloaded directly be the web shells used for initial compromise, the Jin bots were tied to the use of Silver and used the same wallets as Mimo, suggesting they were used by the same threat group.

VMware Horizon servers are among the most targeted products of attackers using the Log4Shell exploit. VMware has issued patches, but many organizations still have not mitigated the vulnerabilities by applying the patch or workarounds.

Even if they are now patched, systems may already be compromised due to the backdoors and reverse shells used in these exploits, according to Sophos, which calls for organizations to thoroughly research their exposure to Log4Shell.

“Even if they have, as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways,” the company says in its report.

Read the company’s report for more information on detecting these attacks.

Tagged With: Log4j, Log4Shell, Sophos, VMWare, Vulnerability

Related Content:

  • Security Awareness Training Security Awareness Training Needs to Change. Here’s Why.
  • Google Bard, OpenAI, ChatGPT, Generative AI Google Begins Making Its AI Chatbot Bard Available
  • Bing Image Creator Microsoft Begins Rolling Out DALL∙E-Based Image Creator in…
  • Businessman meeting and training character vector design, corporate LMS training The Big-Picture Benefits of A Corporate LMS Investment

Free downloadable guide you may like:

  • Four IT Trends That Will Define 2023Expert Series: Four IT Trends That Will Define 2023

    Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations emerging from each.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Four IT Trends That Will Define 2023
Expert Series: Four IT Trends That Will Define 2023

Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations ...

Harnessing the Power of Digital Signage
Harnessing the Power of Digital Signage

Choosing the best solutions for messaging, branding, and communicating in today’s content-everywhere landscape

Blueprint Series Cover: What works for hybrid work
Blueprint Series: What Works for Hybrid Work

Download this free resource to learn about how IT leaders can effectively manage and implement a hybrid work model.

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.