Security News

VMware's Horizon virtualization platform has become an ongoing target of attackers exploiting the high-profile Log4j flaw to install backdoors and cryptomining malware. VMware in late December released an updated version of Horizon and continued with patches for Horizon this month for the Log4j flaw - called Log4Shell and tracked as CVE-2021-44228 - but the threat continues.

What researchers are calling a "Horde" of miner bots and backdoors are using the Log4Shell bug to take over vulnerable VMware Horizon servers, with threat actors still actively waging some attacks. On Tuesday, Sophos reported that the remote code execution Log4j vulnerability in the ubiquitous Java logging library is under active attack, "Particularly among cryptocurrency mining bots." Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are initial access brokers that could lay the groundwork for later ransomware infections.

The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victim's ransom negotiations. Ransomware gang's Linux encryptors typically target the VMware ESXI virtualization platforms as they are the most commonly used in the enterprise.

VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows. According to VMware, it could allow authenticated attackers with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.

VMware on Wednesday released software updates to plug two critical security vulnerabilities affecting its Carbon Black App Control platform that could be abused by a malicious actor to execute arbitrary code on affected installations in Windows systems. VMware Carbon Black App Control is an application allow listing solution that's used to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates.

An Iranian-aligned hacking group tracked as TunnelVision was spotted exploiting Log4j on VMware Horizon servers to breach corporate networks in the Middle East and the United States. Security analysts at SentinelLabs who have been tracking the activity chose that name due to the group's heavy reliance on tunneling tools, which help them hide their activities from detecting solutions.

A "Potentially destructive actor" aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group "TunnelVision" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten.

VMware on Tuesday patched several high-severity vulnerabilities impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service condition. CVE-2021-22042 - ESXi settingsd unauthorized access vulnerability.

Acting now will almost certainly jump you ahead of the many inquisitive cybercriminals out there, given that none of the bugs patched in this update seem to be zero-day security holes. Both CVE-2022-22040 and CVE-2022-22021 are annotated with the comment that "a malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host."

VMware has issued a critical security update to address issues in its ESXi, Fusion and Workstation products, including VMware Cloud Foundation versions. VMware noted that patching VMware ESXi, Fusion and Workstation is the fastest method to resolve the issues, but organizations could also remove USB controllers from their VMs as a workaround.