VMware Horizon servers — which many organizations are using to enable secure anywhere, anytime access to enterprise apps for remote workers — continue to be a popular target for attackers looking to exploit the critical Apache Log4j remote code execution vulnerability disclosed in December 2021.

Researchers from Sophos this week said they had observed a wave of attacks against vulnerable Horizon servers starting January 19, 2022, through now. Many of the attacks have involved attempts by threat actors to deploy cryptocurrency miners such as JavaX miner, Jin, z0Miner, XMRig variants, and other similar tools. But in several other instances, Sophos observed attackers attempting to install backdoors for maintaining persistent access on compromised systems.

The security vendor said its analysis suggests that the attackers delivering backdoors are likely initial access brokers (IABs) looking to provide other threat actors with access to compromised networks, for a fee. Ransomware operators have been some of the biggest customers of initial access brokers recently. So, it's likely the current wave of attacks against VMware Horizon are a precursor to ransomware attacks targeting Log4j flaws in unpatched versions of VMware Horizon server, Sophos said.

"The Web shells appear to be connected in some cases with known IAB methods and infrastructure," says Scott Barlow, vice president of global MSP at Sophos. "The shells they dropped would provide initial access for anyone they sold access to and could also be used for credential harvesting."

The UK National Health Service (NHS) was one of the first to warn about attacks targeting VMware Horizon servers containing the Log4j vulnerability (CVE-2021-44228).

In a January alert, NHS Digital, which develops and operates IT infrastructure and services for healthcare entities in the United Kingdom, said it had observed an unknown threat actor exploiting the Log4J RCE vulnerability in the Apache Tomcat service embedded within VMware Horizon to install a Web shell on compromised systems. Attackers could use the Web shell to carry out a range of malicious activities, including deploying ransomware and other malware, and to steal data from compromised healthcare systems and networks, NHS Digital had noted.

VMware issued an updated version of VMware Horizon server that addressed the vulnerability back in December 2021. It urged organizations using the technology to upgrade to the fixed version, citing the severity of the Log4j flaw and the potential for abuse. The company also released updates for numerous other products that contained vulnerable versions of Log4j.

CVE-2021-44228 (aka Log4Shell) is the most critical of three vulnerabilities that the Apache foundation disclosed in December 2021. The flaw is present in a JNDI (Java Naming and Directory Interface) lookups feature that is enabled by default in multiple versions of log4j from Log4j 2.0-beta9 to Log4j 2.14.1. The vulnerability gives attackers a way to gain complete remote control of a vulnerable system, and it's widely considered one of the most consequential flaws disclosed in recent memory because it impacts almost every single Java application and is also easy to exploit.

Contrary to what many assume, there have not been many major publicly known compromises resulting from the flaw in the three months since it was disclosed. Still, numerous security experts expect that attackers will continue to target the flaw for years to come because of how hard it is to detect and fix for most organizations.

There is also considerable fear that attackers have already exploited the flaw to gain access to many organizations that simply have not discovered the intrusions yet.

Web Shells and Cryptominers
Sophos said its analysis showed attackers in some instances exploiting the vulnerability in the Tomcat service to execute a PowerShell script for dropping the Cobalt Strike reverse-shell tool on infected systems. In other instances, the attackers bypassed Cobalt Strike and targeted the Tomcat server in VMware Horizon to drop the Web shell.

"We found several different payloads being deployed to Horizon hosts targeted by these campaigns," Sophos said.

These included cryptocurrency miners and several backdoors, including legitimate products such as the Atera agent and Splashtop Streamer.

"These are commercial remote management tools," Barlow says. "They are frequently abused by ransomware operators because they can be used to securely deploy and launch any software via the agent and appear to be from legitimate sources."

Barlow recommends that organizations conduct a full review of their software and determine whether they still have unaddressed vulnerabilities to Log4Shell. "They also need to sweep for any breaches that have already happened, as these attacks can leave backdoors open even after software is patched."