- Days after NHS Digital researchers cautioned of Log4Shell-related threat activity against VMware Horizon, threat actors are exploiting the vulnerability to install Cobalt Strike implants in VMware Horizon servers, multiple U.S. firms warned.
- After validating prior intelligence from NHS Digital, Huntress found web shells on 10% of the 180 Horizon servers it monitors. One-third of the servers were unpatched and visible to threat actors on the internet, Huntress said. The firm's ThreatOps team learned of the Log4Shell exploitation with Cobalt Strike, which is a threat emulation software normally used by Red Teams.
- The risk is very high for organizations with VMware Horizon servers that face the internet, according to Roger Koehler, VP of threat operations at Huntress.
Huntress found the 18 compromised systems were backdoored by a web shell called absg-worker.js. The web shells allow an attacker to execute remote commands on the system.
On Friday, managed antivirus tools tipped off to Cobalt Strike implants from two different hosts, according to Huntress. Data shows the Cobalt Strike implants were related to attacks on VMware Horizon but did not involve web shells.
Tracking the 10% ratio of compromised systems, Koehler warns the findings may indicate thousands of compromised servers, as Shodan data shows about 25,000 systems that are visible on the internet around the world.
"The additional reason for this being so concerning is the Horizon servers may be on network segments where other critical servers like Domain Controllers and File Servers are located," Koehler said.
An attacker would be able to pivot from a compromised Horizon server to other systems, possibly using built-in Windows functionality, Koehler said. This would make it more difficult to identify the movement.
VMware says if a web shell is found, security teams should take the system down and engage an incident response team, according to Huntress. Huntress researchers suggest reverting to a backup version prior to Dec. 25, as analysis shows the web shell activity ran between Dec. 25-29.
VMware released an earlier statement urging customers to review of its security advisory, VMSA-2021-0028. Customers should also review a Q&A document and join the company's Security-Announce mailing list.