Hackers still trying to compromise VMWare Horizon through Log4j bug, says Sophos

Threat actors continue trying to compromise VMWare Horizon systems through unpatched vulnerabilities in applications’ Log4j2 Java libraries, say researchers at Sophos.

In a report issued this week, the company says attempts to leverage Horizon and install cryptocurrency mining software or backdoors grew in January. And while the attempts have dropped off since then, they are continuing.

“The largest wave of Log4j attacks aimed at Horizon that we have detected began January 19, and is still ongoing,” the report says. Unlike others, this wave doesn’t rely on an installed Cobalt Strike beacon back to the hackers. Instead, the cryptominer installer script is directly executed from the Apache Tomcat component of the Horizon server.

Discovered in December, 2021, the vulnerability (CVE-2021-44228) enables a remote attacker to take control of a device on the internet through text messages if it runs certain versions of Log4j2. Apache had to issue four patches to address this and subsequently discovered holes.

“Organizations should thoroughly research their exposure to potential Log4j vulnerabilities, as they may impact commercial, open-source and custom software that in some cases may not have regular security support,” says the Sophos report. “But platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily found and exploited with well-tested tools.”

The report notes that VMWare issued patches for Horizon on March 8.  But, it adds, many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. “Even if they have,” the report says, “as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways.”

Log4Shell bug used to deploy NightSky ransomware on VMware Horizon, says Microsoft

Organizations should ensure that they have defense in depth in place to detect and block malicious activity of all types on servers as well as clients, the report adds. Even after patches are applied, a full assessment of previously vulnerable systems for other potential malware or compromise—including off-the-shelf and commercial software of questionable origin — has to be done. Sophos found several different payloads being deployed to Horizon hosts targeted by these campaigns. These included the z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots.

There were also several backdoors—including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused, Sophos says),  and several PowerShell-based reverse shells.

While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the report says Jin bots were tied to use of Sliver, and used the same wallets as Mimo—suggesting these three pieces of malware were used by the same actor.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.