NEWS > March 2022
|
Red Flag for Ransomware: Attackers Are Using the Log4Shell Vulnerability to Deliver Backdoors to Virtual Servers, Sophos Research Shows March 29, 2022 - Sophos, a global leader in next-generation cybersecurity, today released findings on how attackers are using the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers, paving the way for persistent access and future ransomware attacks. A new technical paper, “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers,” details the tools and techniques used to compromise the servers and deliver three different backdoors and four cryptominers. The backdoors are possibly delivered by Initial Access Brokers. Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products. It was reported and patched in December 2021. “Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos. “Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information. Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high value target that they can sell on to other attackers, such as ransomware operators.” The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include:
Sophos' analysis revealed that Sliver is sometimes delivered together with Atera and PowerShell profiling scripts and is used to deliver the Jin and Mimu variants of the XMrig Monero miner botnet. According to Sophos, the attackers are using several different approaches to infect targets. While some of the earlier attacks used Cobalt Strike to stage and execute the cryptominer payloads, the largest wave of attacks that began in mid-January 2022, executed the cryptominer installer script directly from the Apache Tomcat component of the VMware Horizon server. This wave of attacks is ongoing. Sophos has closely monitored attack activity related to the Log4Shell vulnerability and has published a number of in depth technical and advisory reports, including Log4Shell Hell – Anatomy of an Exploit Outbreak , Log4Shell Response and Mitigation Recommendations , Inside the Code: How the Log4Shell Exploit Works , and Log4Shell: No Mass Abuse, But No Respite, What Happened? Sophos solutions are available in UK through Simple IT Distribution LTD, Sophos Partner in UK.
About Simple IT Distribution LTD Simple IT Distribution LTD is backed by 10 years of experience in Value Added IT Distribution. What sets us apart from the crowd is our customer-centric approach, the quality services (consulting, implementation, training, support), and the people behind them, which are experienced and certified proffessionals. We provide sales and technical advice and deliver the solutions that best meed our customers' diverse technology needs. Our partners are hand-picked from the top vendors, and we back up their solutions with certified professionals, to give you nothing but the best. For more information, please visit www.simpleit-distribution.co.uk . |
