Security News > 2022 > April > Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit

A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data.

Cybersecurity firm CrowdStrike, which assigned the panda-themed name to the group all the way back in July 2014, called it "One of the most advanced Chinese nation-state cyber intrusion groups."

The latest set of attacks documented by Fortinet shows that the infection procedure involved the exploitation of the Log4j remote code execution flaw in vulnerable VMware Horizon servers to spawn a chain of intermediate stages, ultimately leading to the deployment of a backdoor dubbed Milestone.

Multiple groups have joined the fray, including the Iranian TunnelVision group, which was observed actively exploiting the Log4j logging library defect to compromise unpatched VMware Horizon servers with ransomware.

Most recently, cybersecurity company Sophos highlighted a slew of attacks against vulnerable Horizon servers that have been ongoing since January and have been mounted by threat actors to illicitly mine cryptocurrency, install PowerShell-based reverse shells, or to deploy Atera agents to remotely deliver additional payloads.

"Attempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature," Sophos researchers said, adding "Platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can easily found and exploited with well-tested tools."

News URL

https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html