Huntress Labs says Cobalt Strike is being installed on at least some of these servers.
Huntress reports that attackers have started to exploit the Log4Shell vulnerabilities revealed in December 2021 on servers running VMware Horizon to deploy Cobalt Strike. Log4Shell refers to several high severity vulnerabilities in the Log4j package used by countless Java developers to create logs for their applications. VMware describes Horizon as a tool offering «efficient and secure delivery of virtual desktops and apps from on-premises to the cloud.» Cobalt Strike, meanwhile, is a command and control framework security professionals use to assess an organization’s ability to respond to malicious activity on its network.
