Share this article on:
According to Sophos, the attackers are using several different approaches to infect targets. While some of the earlier attacks used Cobalt Strike to stage and execute the crypto miner payloads, the largest wave of attacks that began in mid-January 2022 executed the crypto miner installer script directly from the Apache Tomcat component of the VMware Horizon server. This wave of attacks is ongoing.
Sophos’ findings have revealed how attackers are using the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers, paving the way for persistent access and future ransomware attacks. A new technical paper, Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers, details the tools and techniques used to compromise the servers and deliver three different backdoors and four crypto miners. The backdoors are possibly delivered by initial access brokers.
Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products. It was reported and patched in December 2021.
Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale, according to Sean Gallagher, senior security researcher at Sophos.
“Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and crypto miners to unpatched servers, as well as scripts to collect some device information.
“Sophos believes that some of the backdoors may be delivered by initial access brokers looking to secure persistent remote access to a high value target that they can sell on to other attackers, such as ransomware operators,” Gallagher said.
The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include:
Sophos’ findings suggest that multiple adversaries are implementing these attacks, so the most important protective step is to upgrade all devices and applications that include Log4J with the patched version of the software, and Gallagher further explains that this includes patched versions of VMware Horizon if organisations use the application in their network.
“Log4J is installed in hundreds of software products and many organisations may be unaware of the vulnerability lurking within their infrastructure, particularly in commercial, open-source or custom software that doesn’t have regular security support.
“And while patching is vital, it won’t be enough if attackers have already been able to install a web shell or backdoor in the network.
“Defence in depth and acting upon any detection of miners and other anomalous activity is critical to avoid falling victim to such attacks,” Gallagher concluded.
[Related: FEDERAL BUDGET: Industry reacts to $9.9bn REDSPICE project]