Hackers Abuse Log4Shell To Infect VMware Horizon Servers

January 25, 2022 admin

Huntress reports that attackers have begun to exploit the Log4Shell vulnerabilities that surfaced in December 2021 on servers running VMware Horizon to deploy Cobalt Strike.

Log4Shell refers to several very serious vulnerabilities in the Log4j package used by many Java developers to generate logs for their applications. VMware describes Horizon as a tool that provides “efficient and secure delivery of virtual desktops and apps from on-premises to the cloud.”

Cobalt Strike, meanwhile, is a command and control framework used by security professionals to assess an organization’s ability to respond to malicious activity on its network. (Among other things.) But hackers also often use cracked versions of software to carry out attacks.

Huntress says that “an unrelated managed antivirus (Microsoft Defender) tipped our ThreatOps team to a new exploit of the Log4Shell vulnerability in VMware Horizon on January 14th”. Others including the DFIR report and Red Canary reported similar activity that day.

It makes sense to take advantage of Log4Shell vulnerabilities to deploy Cobalt Strike. The first can give attackers first access to the network; The latter can help them maintain that access so they can gather more information, compromise additional machines, and potentially avoid detection.

“For those of you who have learned about the massive exploitation of VMware Horizon Server and the installation of a backdoor web shell,” Huntress says, “you should seriously consider the possibility of your server being compromised. If it is patched and not connected. Internet. Connected.”

Recommended by our editors
Many people have to think again. “Of the 180 Horizon servers (62) we analyzed, ~34% were unpatched and connected to the Internet at the time of this publication,” says Huntress. It also notes that the Shodan search tool lists approximately 25,000 Internet-facing Horizon servers.

VMware has advised Horizon users to update to new versions of the software with patches for the Log4Shell vulnerabilities. Huntress says companies whose servers have already been hacked should restore their systems from backups made before December 25, 2021.

as you read?
Sign up for the Security Guard newsletter to get our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. By subscribing to the newsletter, you indicate that you agree to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.

Huntress reports that attackers have begun to exploit the Log4Shell vulnerabilities that surfaced in December 2021 on servers running VMware Horizon to deploy Cobalt Strike.

Log4Shell refers to a number of high-severity vulnerabilities in the Log4j package used by countless Java developers to generate logs for their applications. VMware describes Horizon as a tool offering “efficient and secure delivery of virtual desktops and apps from on-premises to the cloud.”

Cobalt Strike, meanwhile, is a command and control framework that security professionals use to assess an organization’s ability to respond to malicious activity on its network. (Among other things.) But hackers also often use cracked versions of software to carry out attacks.

Huntress says that “an unrelated managed antivirus detection (Microsoft Defender) prompted our ThreatOps team to launch a new exploit of the Log4Shell vulnerability in VMware Horizon on January 14th”. Others including the DFIR report and Red Canary reported similar activity that day.

It makes sense to exploit Log4Shell vulnerabilities to deploy Cobalt Strike. The former can give attackers early access to the network; The latter can help them maintain that access so they can gather more information, compromise additional machines, and potentially avoid detection.

“For those of you just learning about the massive exploitation of VMware Horizon Server and the installation of a backdoor web shell,” says Huntress, “you should seriously consider the possibility that your server has been compromised and It is facing the Internet.

Many people have to think to do something. “Of the 180 Horizon servers (62) we analyzed, ~34% were unpublished and Internet-facing at the time of this publication,” says Huntress. It also notes that the Shodan search tool lists approximately 25,000 Internet-facing Horizon servers.

VMware has advised Horizon users to update to new versions of the software with patches for the Log4Shell vulnerabilities. Huntress says companies whose servers have already been damaged should restore their systems from backups made before December 25, 2021.

Leave a Reply

Your email address will not be published. Required fields are marked *