A wave of cyber attacks exploiting the Log4Shell remote code execution (RCE) vulnerability in Apache Log4j Java logging component seems to be targeting users of VMware Horizon servers, according to fresh intelligence released by Sophos analysts.
In a recently published technical paper, Horde of miner bots and backdoors leveraged Log4j to attack VMware Horizon servers, Sophos’ researchers reveal how attackers are continuing to exploit widespread failure to pay attention to Log4Shell to deliver backdoors and profiling scripts to VMware Horizon servers, laying the groundwork to achieve lasting, persistent access, and facilitating future ransomware attacks.
“Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos.
“Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information.”
Sophos believes the backdoors are being delivered by initial access brokers (IABs), an increasingly well-leveraged element of the ransomware-as-a-service (RaaS) “supply chain”. It said it had found three different backdoors, as well as four illicit cryptominers, during the course of its research.
The attack payloads discovered by Gallagher and his team include two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, being repurposed for malicious use as backdoors; the Sliver backdoor, which is already malicious; and several PowerShell-based reverse shells to collect device and backup information. Additionally, the uncovered cryptominers were z0Minder, JavaX miner, Jin and Mimu.
Sliver, notably, is sometimes being delivered alongside Atera and PowerShell profiling scripts to deliver Jin and Mimu, which are both variants of the XMrig Monero miner botnet.
The attackers were found to be using several different approaches to infect targets, but it may be notable that in the largest wave of attacks, beginning in mid-January, the attackers moved away from the highly favoured Cobalt Strike tool as a means of staging and executing cryptominer payloads, to executing the cryptominer installer script directly from the Apache Tomcat component of the target VMware Horizon server.
“Sophos’ findings suggest that multiple adversaries are implementing these attacks, so the most important protective step is to upgrade all devices and applications that include Log4J with the patched version of the software. This includes patched versions of VMware Horizon if organisations use the application in their network,” said Gallagher.
“Log4J is installed in hundreds of software products and many organisations may be unaware of the vulnerability lurking in within their infrastructure, particularly in commercial, open source or custom software that doesn’t have regular security support.
“And while patching is vital, it won’t be enough if attackers have already been able install a web shell or backdoor in the network. Defence in depth and acting upon any detection of miners and other anomalous activity is critical to avoid falling victim to such attacks,” he said.