Log4j Threat Affecting VMware Horizon Servers ‘Could Escalate’: Huntress

‘So far there’s been no huge impact because we’re catching it and preventing it from our MSPs,’ says Roger Koehler, VP of threat operations at Huntress. ‘But they could laterally move and really get into their entire environment, or if they end up ransoming these hosts, it can be devastating. It can prevent us from actually logging in and doing our job.’

MSPs should remain on high alert after a Log4j vulnerability was found on VMware Horizon servers last week.

“People should definitely be concerned about it and should be reacting to it,” Roger Koehler, VP of threat operations at threat hunting firm Huntress, told CRN. “Tomorrow it could escalate. A lot of times these things go for sale on the black market and then people will buy it, confirm that it’s still valid and sell it again.”

The original flaw in the Java logging library Apache Log4j sat undiscovered for years and was identified in early December, sparking panic among vendors and solution providers about what data could be compromised and how fast it could be stolen from them.

Last week, Huntress discovered a Log4j threat to VMware Horizon, a virtual desktop application, that was being hit with Cobalt Strike, a commercial adversary simulation software that is widely stolen and used by threat actors.

On January 5, the UK’s National Health Service alerted that hackers were targeting Log4Shell vulnerabilities in VMware Horizon servers in an effort to establish persistent access via web shells, according to a Huntress blog. Web shells allow attackers to remotely execute commands.

“All of the hits so far were just of the web shells, so an attacker basically edited the file [in hopes] to come back later,” Koehler told CRN. “We realized that they actually did that back around December 25 to December 29, so it was almost like using one holiday to stage to then maybe come back to another holiday to do more activities.”

[Related: Log4j Exploit Is ‘A Fukushima Moment’ For Cybersecurity: Tenable CTO]

There are more than 25,000 VMware Horizon servers publicly accessible to the internet, according to search engine Shodan. Huntress covers 180 of those servers and found webshells on 18 systems as far back as Christmas day.

CRN has reached out to VMware for comment.

As the Huntress team was looking at some antivirus detections that got caught by Cobalt Strike, they found that the attacker was escalating what they were working on.

“And as we started digging into it, we realized that there‘s a lot more going on and this was affecting VMware Horizon,” he said.

He said the threat advisory has a “tremendous” economic impact on MSPs as 10 percent of the servers Huntress monitors were compromised.

Antivirus is protecting against a lot of the threats, he said, but this latest threat shows crypto miners being dropped and other activity happening.

“So far there‘s been no huge impact because we’re catching it and preventing it from our MSPs,” he said. “But they could laterally move and really get into their entire environment, or if they end up ransoming these hosts, it can be devastating. It can prevent us from actually logging in and doing our job.”

It’s hard to see the full impact, he said, until after the threat is gone. And it can be a hard fix.

Something like this threat where an administrator has to manually go in, update and patch it can be timely.

“That‘s why it’s really important for a lot of these MSPs, and other midmarket enterprises, to often talk about security in depth, putting layers where you shouldn‘t just rely on one simple thing,” he said. “There’s always going to be something out there and you really need to have that layer of security.”

Patching is also crucial, he added.

In light of the vulnerability, Huntress has reached out to MSPs they work with to let them know they’re monitoring it 24/7. In response, some MSPs installed Huntress platforms on their VMware Horizon servers.

Although there is evidence that this started around Christmas, Koehler said the threat is very much ongoing.

Huntress continues to dig into the vulnerability and found a few other attack methods in doing so.

“We‘re constantly finding new things. We’re reporting those to the partners and just urging more and more people to patch it and get this mitigated as quickly as possible before it escalates into something more,” he said.