Security News > 2022 > March > Log4JShell Used to Swarm VMware Servers with Miners, Backdoors

What researchers are calling a "Horde" of miner bots and backdoors are using the Log4Shell bug to take over vulnerable VMware Horizon servers, with threat actors still actively waging some attacks.

On Tuesday, Sophos reported that the remote code execution Log4j vulnerability in the ubiquitous Java logging library is under active attack, "Particularly among cryptocurrency mining bots." Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are initial access brokers that could lay the groundwork for later ransomware infections.

In late December and January, VMWare's Horizon servers with Log4Shell vulnerabilities came under Cobalt Strike attack, as flagged by researchers at Huntress.

Those attacks used the Lightweight Directory Access Protocol resource call of Log4j to retrieve a malicious Java class file that modified existing, legitimate Java code, injecting a web shell into the VM Blast Secure Gateway service and thereby granting attackers remote access and code execution.

The attacks against Horizon servers grew throughout January.

Saryu Nayyar, CEO and founder of Gurucul, told Threatpost that in order to fight the legitimate assessment tools being used to breach organizations, it's also "Critical" to employ sophisticated technologies - namely, self-training machine learning and behavioral models - to sniff out exploitation of exposed vulnerabilities as well as to detect the remote surveillance done by attackers with tools such as Cobalt Strike, et al.

News URL

https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/