Log4Shell Exploited To Infect VMware Horizon Servers With Backdoors, Crypto Miners

An anonymous reader quotes a report from ZDNet: The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information. Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0.

According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. The attackers behind the campaign are leveraging the bug to obtain access to vulnerable servers. Once they have infiltrated the system, Atera agent or Splashtop Streamer, two legitimate remote monitoring software packages, may be installed, with their purpose twisted into becoming backdoor surveillance tools.

The other backdoor detected by Sophos is Silver, an open source offensive security implant released for use by pen testers and red teams. Sophos says that four miners are linked to this wave of attacks: z0Miner, JavaX miner, Jin, and Mimu, which mine for Monero (XMR). Previously, Trend Micro found z0Miner operators were exploiting the Atlassian Confluence RCE (CVE-2021-26084) for cryptojacking attacks. A PowerShell URL connected to this both campaigns suggests there may also be a link, although that is uncertain. [...] In addition, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information.

Patching fast is mandatory today

[gweihir]

If you cannot do it, or miss when you need to do it, you are not running IT professionally, you are a bloody dangerous amateur-shop instead. For a business, screwing up like this should come with significant penalties, up to and including prison time for the responsible C-levels (suspended on first offense) if privacy-relevant personal data was exposed as a result.

Re:

[Kokuyo]

Yeah, well, I patched my Vmware appliances as fast as I could and still one crypto miner got in.

Perhaps you would have done better, who knows, but you weren't here to help, were you? That's the problem with Supermen like yourself... you're never there when you're needed.

Re:

[JackieBrown]

What other non-violent offences do you think should result in prison time?

Re:

[tlhIngan]

If you cannot do it, or miss when you need to do it, you are not running IT professionally, you are a bloody dangerous amateur-shop instead. For a business, screwing up like this should come with significant penalties, up to and including prison time for the responsible C-levels (suspended on first offense) if privacy-relevant personal data was exposed as a result.

And that's why everyone is farming out the work to third parties and the cloud - because a business can be inundated with such things to the poin

Re:

[gweihir]

Quite. It is not important that you do it yourself. It is important that it is being done fast and competently. Even only keeping abreast of things takes a day per week or more (spread over the week) and that is already too much for a small shop. If you get a managed service for this or outsource your IT to somebody competent, that is a good solution. They can then apply their knowledge and skill to a larger pool of IT installations.

While I did think of that as an option to get the capability, I did not wri

Does mining require authentication?

[sabbede]

If it does, then theoretically if someone dropped a miner onto your server, you could extract the creds for the wallet and take your money back.

If it doesn't, then why the hell not?