SophosLabs researchers discovered three backdoors and four cryptominers targeting unpatched VMware Horizon servers to gain persistent access. Sophos is today releasing its latest research on the Log4j Log4Shell vulnerability.
Attackers use these to embed backdoors and script unpatched VMware Horizon Servers. This gives them persistent access to VMware Horizon Server for future ransomware attacks. In the detailed report Horde of Miner Bots and Backdoors Leverage Log4J to Attack VMware Horizon Servers the Sophos researchers describe the tools and techniques for compromising servers, as well as three different backdoors and four cryptominers. The backdoors may come from access brokers.
Log4j and Log4Shell attacks continue
Log4Shell is a vulnerability in the Log4J Java code library. If attackers exploit this vulnerability, they are given the opportunity to execute any system code of their choice. It is embedded in hundreds of software products and became known at the end of 2021. Recent attack vectors using Log4Shell to target vulnerable Horizon Servers include:
- two legitimate remote monitoring and management tools – Atera Agent and Splashtop Streamer
- the malicious Sliver backdoor
- the cryptominers z0Miner, JavaX miner, Jin and Mimu
- various Power-Shell based reverse shells that collect device and backup information
Sophos analysis shows that Sliver is sometimes bundled with Atera and PowerShell profiling scripts and is used to deliver Jin and Mimu variants of the XMrig Monero miner botnets. Attackers use different tactics to infect their targets. While some of the earlier attacks used Cobalt Strike to deploy and run the cryptominers, the largest wave of attacks began in mid-January 2022: they ran the cryptominer installation script directly from the Apache Tomcat component of VMware Horizon Server. This wave of attacks is still active.
VMware Horizon must be updated manually
"Widespread applications like VMware Horizon that require manual updates are particularly vulnerable to large-scale exploits," said Sean Gallagher, senior security researcher at Sophos. “Our investigation shows waves of attacks on Horizon servers since January 2022, bringing various backdoors and cryptominers to unpatched servers, plus scripts to collect device information. We believe that some of the backdoors could be provided by access brokers who are looking for persistent remote access and can in turn sell it to other attackers, similar to ransomware operators.”
What companies should do now
The Sophos analysis indicates that several opponents are carrying out these attacks. The most important preventive step would therefore be to update all devices and applications with the patched version of the software that contain Log4J, including the patched VMware Horizon, if organizations use the applications in their networks. Log4J is installed in hundreds of software products, and many companies are unaware of the vulnerability lurking within their infrastructure, especially commercial, open source, or custom software that lacks regular security maintenance.
Even patched programs offer no protection if attackers were already able to install a web shell or a network backdoor. Defending in depth plus acting immediately on any indication of eg prospectors and other unusual activities is crucial to avoid falling prey to such attacks.
Sophos has continued to closely monitor attack activity related to the Log4Shell vulnerability and has released a number of technically detailed and advisory reports:
- Log4Shell Hell - Anatomy of an Exploit Outbreak,
- Log4Shell Response and Mitigation Recommendations,
- Inside the Code: How the Log4Shell Exploit Works,
- Log4Shell: No Mass Abuse, But No Respite, What Happened?
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.