Log4Shell Explores a New VMware Horizon - Threatwire
Added 2022-04-06 14:23:35 +0000 UTCBy Shannon Morse, ThreatWire
An advanced persistent threat group called Deep Panda (aka KungFu Kittens, Bronze Firestone, or Shell Crew) out of China is actively exploiting the Log4Shell issue in VMWare Horizon to deploy backdoors, install rootkits, and steal data. Yeah, remember Log4Shell over the holidays? It ain’t over!
Deep Panda has been active since 2010, and is considered one of the more advanced nation state groups. They’ve targeted legal firms to steal data along with technology firms to build C&C infrastructure. Their newest attribution is due to the fact they’re using similar rootkits to previous attacks. Another group called Winnti is also noted due to using similar exploits as well.
Researchers at Fortinet’s FortiGuard Labs explained that this attack has been observed across multiple countries and a variety of sectors including financial, academic, cosmetics, and travel industries. The group uses the Log4j RCE flaw to deploy backdoors called Milestone and deploy a rootkit called Fire Chili which uses stolen game development company certificates so it evades detection on these vulnerable VMware Horizon servers.
The remote access trojan called Infoadmin, which is based off Ghost RAT code has also been seen on these infected servers.
Fire Chili is new, though, and since it uses these stolen certs, security systems may not detect it’s installation on a server, and it checks to make sure safe mode isn’t running. It looks for the OS version since it doesn’t work on all machines, and it can tamper with the registry to make sure the registry doesn’t stop malicious processes. It also hides registry keys and TCP network connections.
This isn’t the only attack seen by researchers as of late. Sophos also reported on the log4j vulnerability being used to install cryptominer bots, along with initial access brokers on these VMWare Horizon servers. The cryptominers include z0Miner, Jin, and Mimu. The backdoor includes Sliver, which is a legitimate red teaming tool but they believe it’s being used as a payload before the cryptominers are installed.
Another RCE exists in VMWare called Spring4Shell, which has been patched. This is tracked as CVE 2022-22965 with a 9.8 severity score and could allow an attacker to execute arbitrary code or take control of an infected system. This problem exists in the Spring Core java framework. It’s bad because this framework exists on tons of platforms and a proof of concept was leaked on Github before a security update was available. In the case of VMWare, this affects versions of the Tanzu Application Service for VMs, the Operations Manager, and the TKGI with a full list available via VMWare’s advisory I’ve linked with this story.
Of course, for all of these issues, patching for the main vulnerabilities to combat the exploits is recommended. The problem with Log4Shell is this problem exists in so many platforms it may be hard for organizations to find and remediate the issue on all of their platforms, especially if some of those platforms are third party or open source.
Links:
https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html
https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
https://www.vmware.com/security/advisories/VMSA-2022-0010.html
