Security News > 2022 > April > Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit

A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data.
Cybersecurity firm CrowdStrike, which assigned the panda-themed name to the group all the way back in July 2014, called it "One of the most advanced Chinese nation-state cyber intrusion groups."
The latest set of attacks documented by Fortinet shows that the infection procedure involved the exploitation of the Log4j remote code execution flaw in vulnerable VMware Horizon servers to spawn a chain of intermediate stages, ultimately leading to the deployment of a backdoor dubbed Milestone.
Multiple groups have joined the fray, including the Iranian TunnelVision group, which was observed actively exploiting the Log4j logging library defect to compromise unpatched VMware Horizon servers with ransomware.
Most recently, cybersecurity company Sophos highlighted a slew of attacks against vulnerable Horizon servers that have been ongoing since January and have been mounted by threat actors to illicitly mine cryptocurrency, install PowerShell-based reverse shells, or to deploy Atera agents to remotely deliver additional payloads.
"Attempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature," Sophos researchers said, adding "Platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can easily found and exploited with well-tested tools."
News URL
https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html
Related news
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- Over 37,000 VMware ESXi servers vulnerable to ongoing attacks (source)
- Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits (source)
- Chinese Weaver Ant hackers spied on telco network for 4 years (source)
- Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps (source)
- Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)