Skip to main content
close search
site logo
Dive Brief

Cobalt Strike targets VMware Horizon after UK warnings of Log4Shell threats

Published Jan. 18, 2022
David Jones's headshot
Reporter
Rendered image depicting global networks.
DKosig via Getty Images

Dive Brief:

  • Days after NHS Digital researchers cautioned of Log4Shell-related threat activity against VMware Horizon, threat actors are exploiting the vulnerability to install Cobalt Strike implants in VMware Horizon servers, multiple U.S. firms warned. 
  • After validating prior intelligence from NHS Digital, Huntress found web shells on 10% of the 180 Horizon servers it monitors. One-third of the servers were unpatched and visible to threat actors on the internet, Huntress said. The firm's ThreatOps team learned of the Log4Shell exploitation with Cobalt Strike, which is a threat emulation software normally used by Red Teams. 
  • The risk is very high for organizations with VMware Horizon servers that face the internet, according to Roger Koehler, VP of threat operations at Huntress.

Dive Insight:

Huntress found the 18 compromised systems were backdoored by a web shell called absg-worker.js. The web shells allow an attacker to execute remote commands on the system. 

On Friday, managed antivirus tools tipped off to Cobalt Strike implants from two different hosts, according to Huntress. Data shows the Cobalt Strike implants were related to attacks on VMware Horizon but did not involve web shells. 

Tracking the 10% ratio of compromised systems, Koehler warns the findings may indicate thousands of compromised servers, as Shodan data shows about 25,000 systems that are visible on the internet around the world. 

"The additional reason for this being so concerning is the Horizon servers may be on network segments where other critical servers like Domain Controllers and File Servers are located," Koehler said. 

An attacker would be able to pivot from a compromised Horizon server to other systems, possibly using built-in Windows functionality, Koehler said. This would make it more difficult to identify the movement. 

The Huntress findings echo reports from Red Canary and the DFIR Report on Friday indicating similar threat activity involving a PowerShell based downloader executing a payload with Cobalt Strike. 

VMware says if a web shell is found, security teams should take the system down and engage an incident response team, according to Huntress. Huntress researchers suggest reverting to a backup version prior to Dec. 25, as analysis shows the web shell activity ran between Dec. 25-29. 

VMware released an earlier statement urging customers to review of its security advisory, VMSA-2021-0028. Customers should also review a Q&A document and join the company's Security-Announce mailing list. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell