The Log4Shell vulnerability is actively exploited to bring backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. The cybercriminals are also targeting device information. According to Sophos, the attacks, which are still ongoing, began in January.
Log4Shell is a critical vulnerability in the Apache Log4J Java Logging Library. The vulnerability, which allows unauthorized remote code execution (RCE), was disclosed in December 2021 and is listed as CVE-2021-44228 with a CVSS score of 10.0.
has previously spotted Log4Shell attacks by state-sponsored cybercriminals, but most seem to focus on cryptocurrency mining, ransomware, and bot activities. A patch was released in December 2021, but as is often the case with internet-connected servers, many systems have not yet been updated.
According to Sophos, recent Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. The attackers behind the campaign exploit the flaw to gain access to vulnerable servers. Once inside the system, Atera Agent or Splashtop Streamer, two legitimate remote monitoring software packages, can be installed to use as a backdoor. The other backdoor discovered by Sophos is Silver, an aggressive, open-source security implant open to pen testers and red teams.
The four miners associated with this attack wave are: z0Miner, JavaX miner, Jin and Mimu mining Monero (XMR). “Patches, while important, are not enough when attackers have already managed to install a web shell or backdoor on the network,” said Sean Gallagher, senior security researcher at Sophos.