The Log4Shell vulnerability is still exploited to provide backdoors and cryptocurrency miners to vulnerable VMware Horizon servers.
On Tuesday, cybersecurity researchers at Sophos revealed that the attacks first detected in mid-January are continuing. Not only have backdoors and cryptocurrency miners been deployed, but also scripts are used to gather and steal information from infected devices.
Log4Shell is a critical vulnerability in the Apache Log4J Java logging library. The Unauthenticated Remote Code Execution (RCE) vulnerability was made public in December 2021. It is listed as CVE-2021-44228 with a CVSS score of 10.0.
Gain access to vulnerable servers
The researchers warn that Log4Shell is likely to last for years, especially considering the vulnerability’s ease of exploitation.
Microsoft has already detected Log4Shell attacks carried out by state-sponsored cybercriminals, but most seem to focus on cryptocurrency mining, ransomware and bot activity. A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated.
According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners.
Access vulnerable servers
The attackers behind this campaign are exploiting the bug to gain access to vulnerable servers. Once infiltrated into the system, Atera agent or Splashtop Streamer, two legitimate remote monitoring software, can be installed, their purpose being hijacked to become backdoor surveillance tools.
The other backdoor detected by Sophos is Silver, an open source offensive security implant released for use by pen testers and red teams.
Sophos says four miners are linked to this wave of attacks: z0Miner, JavaX miner, Jin and Mimu, which mine Monero (XMR). Previously, Trend Micro discovered that z0Miner operators were exploiting Atlassian Confluence’s RCE (CVE-2021-26084) for cryptojacking attacks.
A PowerShell URL
A PowerShell URL linked to these two campaigns suggests there may also be a connection, although this remains unclear.
“While z0Miner, JavaX, and other payloads were downloaded directly by the web shells used for the initial compromise, the Jin bots were tied to using Silver and using the same wallets as Mimo, suggesting that these three pieces of malware were used by the same actor,” say the researchers.
Additionally, the researchers uncovered evidence of the deployment of a reverse shell designed to collect information about devices and backups.
“Log4J is installed in hundreds of software and many companies may be unaware of the vulnerability lurking in their infrastructure, especially in commercial, open source or custom software that does not receive regular security support. commented Sean Gallagher, senior security researcher at Sophos. “And while patches are essential, they won’t be enough if attackers have already been able to install a web shell or backdoor into the network. »
Source: ZDNet.com