- #Log4shell miners to vmware horizon servers upgrade#
- #Log4shell miners to vmware horizon servers software#
- #Log4shell miners to vmware horizon servers code#
This includes patched versions of VMWare Horizon if organizations use the application in their network," said Gallagher.
#Log4shell miners to vmware horizon servers upgrade#
"Sophos' findings suggest that multiple adversaries are implementing these attacks, so the most important protective step is to upgrade all devices and applications, including Log4J, with the patched version of the software.
* Several PowerShell-based reverse shells that collect device and backup informationĪccording to Sophos, the largest wave of attacks that began in mid-January 2022 executed the cryptominer installer script directly from the Apache Tomcat component of the VMware Horizon server. * The cryptominers z0Miner, JavaX miner, Jin and Mimu * Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors Sophos detected multiple attack payloads using Log4Shell to target vulnerable Horizon servers: Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high-value target that they can sell to other attackers, such as ransomware operators.
#Log4shell miners to vmware horizon servers software#
Many organizations may be unaware of the vulnerability lurking within their infrastructure, particularly in commercial, open-source, or custom software that doesn't have regular security support, Log4J is installed in hundreds of software products. Widely used applications such as VMware Horizon exposed to the internet and need to be manually updated are particularly vulnerable to exploitation at scale. "The discovery of this vulnerability is nothing short of a Fukushima moment for the cybersecurity industry."Īccording to a senior security researcher at Sophos, Sean Gallagher, Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers as scripts to collect some device information.
#Log4shell miners to vmware horizon servers code#
The vulnerability was discovered and patched last December.Īmit Yoran, CEO of cybersecurity company Tenable, said that the Apache Log4j Remote Code Execution Vulnerability is the last decade's single most significant, critical vulnerability.
Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, embedded in hundreds of software products. "It's likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability, so it's an attack vector against which defenders need to exercise constant vigilance," Lee added.Attackers use the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers.Ĭybersecurity company Sophos said that multiple adversaries are targeting vulnerable Horizon servers, paving the way for persistent access and future ransomware attacks. "When an access broker group takes interest in a vulnerability whose scope is so unknown, it's a good indication that attackers see significant value in its exploitation," Tony Lee, vice president of global services technical operations at BlackBerry, said. "The ramifications of this vulnerability are serious for any system, especially ones that accept traffic from the open Internet," the virtualization services provider cautioned. The onslaught against Horizon servers has also prompted VMware to urge its customers to apply the patches immediately. Earlier this month, Microsoft called out a China-based operator tracked as DEV-0401 for deploying a new ransomware strain called NightSky on the compromised servers. This is far from the first time internet-facing systems running VMware Horizon have come under attack using Log4Shell exploits.
0 kommentar(er)
