Hackers are continuing to leverage the Log4Shell vulnerability to attack VMware Horizon servers and deploy cryptocurrency mining malware and backdoors, with a large wave of such attacks from mid-January still ongoing, according to cybersecurity firm Sophos.
In a new report, Sophos says the attempts to leverage Horizon continued and grew in number throughout January and were frequently associated with attempts to deploy crypto miners, but others appeared to be associated with initial access brokers or ransomware gangs.
Log4Shell is a critical vulnerability that exists in Log4j, a popular Java logger that uses the Lightweight Directory Access Protocol (LDAP) resource. However, attackers can use that resource to retrieve a malicious Java class file that modified existing legitimate Java code, adding a web shell that provides remote access and code execution to the attackers. Those attacks were observed since the beginning of January, Sophos says in the report, published Tuesday.
A large wave of attacks began on Jan. 14, some of which used Cobalt Strike to stage and execute the cryptominer payloads. However, the largest wave of Log4Shell exploits aimed at Horizon detected by Sophos began Jan. 19, and this wave did not rely on Cobalt Strike. Instead, the crypto miner installer script is directly executed from the Apache Tomcat component of the Horizon server, the report says.
According to Sophos, earlier attacks had a typical process trace that shows them starting from the Tomcat service executable and ending with the execution of the PowerShell script, which executes a standard Cobalt Strike reverse shell.
However, other exploits bypass the use of Cobalt Strike altogether and use Log4Shell to directly target the Tomcat server within Horizon.
The payloads deployed to Horizon hosts range from various cryptocurrency miners including z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots.
In addition, Sophos discovered several backdoors being used, including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused), along with several PowerShell-based reverse shells.
While some payloads were downloaded directly be the web shells used for initial compromise, the Jin bots were tied to the use of Silver and used the same wallets as Mimo, suggesting they were used by the same threat group.
VMware Horizon servers are among the most targeted products of attackers using the Log4Shell exploit. VMware has issued patches, but many organizations still have not mitigated the vulnerabilities by applying the patch or workarounds.
Even if they are now patched, systems may already be compromised due to the backdoors and reverse shells used in these exploits, according to Sophos, which calls for organizations to thoroughly research their exposure to Log4Shell.
“Even if they have, as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways,” the company says in its report.
Read the company’s report for more information on detecting these attacks.