Hackers Exploit Log4Shell to Infect VMware Horizon Servers


Huntress studies that attackers have began to use the Log4Shell vulnerabilities revealed in December 2021 on servers working VMware Horizon to deploy Cobalt Strike.

Log4Shell refers to a number of excessive severity vulnerabilities within the Log4j package deal utilized by numerous Java builders to create logs for his or her purposes. VMware describes Horizon as a instrument providing “environment friendly and safe supply of digital desktops and apps from on-premises to the cloud.”

Cobalt Strike, in the meantime, is a command and management framework safety professionals use to evaluate a company’s potential to reply to malicious exercise on its community. (Amongst different issues.) However hackers typically use cracked variations of the software program to conduct assaults, too.

Huntress says that “an unrelated Managed Antivirus detection (Microsoft Defender) tipped our ThreatOps crew to new exploitation of the Log4Shell vulnerability in VMware Horizon” on Jan. 14. Others, together with The DFIR Report and Purple Canary, reported comparable exercise that day.

Exploiting the Log4Shell vulnerabilities to deploy Cobalt Strike is sensible. The previous can provide attackers preliminary entry to a community; the latter may also help them preserve that entry to allow them to collect extra info, compromise extra machines, and probably evade detection.

“For these of you simply studying concerning the mass exploitation of VMware Horizon servers and the set up of backdoor internet shells,” Huntress says, “you must severely contemplate the likelihood that your server is compromised if it was unpatched and internet-facing.”

Loads of folks can have some pondering to do. Huntress says “that ~34% of the 180 Horizon servers (62) we analyzed had been unpatched and internet-facing on the time of this publication.” It additionally notes that the Shodan search instrument lists roughly 25,000 internet-facing Horizon servers.

VMware has suggested Horizon customers to replace to new variations of the software program with patches for the Log4Shell vulnerabilities. Huntress says corporations with servers which have already been compromised ought to restore their programs from a backup created previous to Dec. 25, 2021.

supply hyperlink