Hackers Exploit Log4Shell to Infect VMware Horizon Servers

pcmag.com:

Huntress reports that attackers have started to exploit the Log4Shell vulnerabilities revealed in December 2021 on servers running VMware Horizon to deploy Cobalt Strike.

Log4Shell refers to several high severity vulnerabilities in the Log4j package used by countless Java developers to create logs for their applications. VMware describes Horizon as a tool offering "efficient and secure delivery of virtual desktops and apps from on-premises to the cloud."

Cobalt Strike, meanwhile, is a command and control framework security professionals use to assess an organization's ability to respond to malicious activity on its network. (Among other things.) But hackers often use cracked versions of the software to conduct attacks, too.

Huntress says that "an unrelated Managed Antivirus detection (Microsoft Defender) tipped our ThreatOps team to new exploitation of the Log4Shell vulnerability in VMware Horizon" on Jan. 14. Others, including The DFIR Report and Red Canary, reported similar activity that day.

Exploiting the Log4Shell vulnerabilities to deploy Cobalt Strike makes sense. The former can offer attackers initial access to a network; the latter can help them maintain that access so they can gather more information, compromise additional machines, and potentially evade detection.

"For those of you just learning about the mass exploitation of VMware Horizon servers and the installation of backdoor web shells," Huntress says, "you should seriously consider the possibility that your server is compromised if it was unpatched and internet-facing."

Plenty of people will have some pondering to do. Huntress says "that ~34% of the 180 Horizon servers (62) we analyzed were unpatched and internet-facing at the time of this publication."