Sophos, a global leader in cyber security, has published a study on the use of Log4Shell security breach to infiltrate “backdoor” and Profiling Scripts into VMware Horizon servers that have not been updated with security patches, thus regulating ongoing access to these servers and opening the door to future ransomware attacks.
The study, entitled “Horde of miner bots and backdoors leveraged Log4J to attack VMware Horizon servers – Sophos News,” lists the tools and techniques used to hack servers, install three backdoors, and deploy four different mining software.
Log4Shell is a security breach that enables remote code execution in the Java-based logging component of the Apache server, Log4j, which is embedded in hundreds of software products. The breach was reported and corrected in December 2021.
“Widely used applications like VMware Horizon that are exposed to the Internet and require manual updates are particularly vulnerable to large-scale exploitation,” said Sean Gallagher, a senior security researcher at Sophos.
Sophos’ detection arrays revealed waves of attacks on Horizon servers starting in January, which infiltrated a variety of “backdoor” vulnerabilities and mining software into outdated servers, as well as scripts that allow information about the attacked server to be collected.
“Sophos believes that some of the backdoor loopholes have been infiltrated by primary access providers trying to ensure lasting remote access to significant destinations that they can sell to other attackers, such as ransomware operators.”
The multiple attack charges that Sophus has identified that have used the Log4Shell vulnerability to attack vulnerable Horizon servers include two legitimate tools for remote monitoring and management, the Atera agent and Splashtop Streamer, which were apparently intended for malicious use as backdoors and the malicious backdoor service Silver.
The cryptocurrency mining software z0Miner, JavaX miner, Jin and Mimu and a number of PowerShell-based Reverse shell envelopes that collect information about the device and the backups defined for it.
An analysis performed by Sophos revealed that Sliver malware is sometimes inserted along with Atera and PowerShell Profiling Scripts and is used to infiltrate the Jin and Mimu variants of the Xmrig Monero coin mining bot network.
According to Sophos, attackers use a number of different approaches to catch up with their targets. While some of the previous attacks used Cobalt Strike software to run the coin mining charges, the biggest wave of attacks, which began in mid-January 2022, ran the script used to install the mining software directly from the Apache Tomcat component running on the VMware Horizon server. This wave of attacks is still in full swing.
“Sophos’ findings indicate that many attackers use these intrusions, so the most important defensive step is to install the revised version of Log4j on all servers and applications that use this component. This includes revised versions of VMware Horizon, in organizations that use this application on their network,” he said. Gallagher.
“Log4j is installed on hundreds of software products and many organizations may not be aware of the security breach lurking within their infrastructure, especially commercial software, open source software or custom software that does not have permanent security support. We were able to gain web shell access or install a backdoor on the corporate network. “