fbpx
Founder Institute Lagos Founder Institute Lagos Founder Institute Lagos
  • Home
  • About
  • Partners
  • Advertise
  • Contact
  • Signup to receive updates
Innovation | Startups | Funding | Tech Blog in Africa
Advertisement
  • Home
  • Startups
  • Hubs
  • Funding
  • WomenTech
  • CleanTech
  • Blockchain
No Result
View All Result
  • Home
  • Startups
  • Hubs
  • Funding
  • WomenTech
  • CleanTech
  • Blockchain
No Result
View All Result
Innovation | Startups | Funding | Tech Blog in Africa
No Result
View All Result
Home General

Cyber Attackers are Leveraging the Log4Shell Vulnerability, delivering Backdoors to Virtual Servers – Sophos Research reveals

Sophos Finds Three Backdoors, Possibly Delivered by Initial Access Brokers, and Four Cryptominers Targeting Unpatched VMware Horizon Servers, a Red Flag for Ransomware

by Dare Afolabi
2022/03/31 - Updated on 2022/04/02
in General
Log4Shell - techbuild
Share on FacebookShare on Twitter
Tweet
Share
Share

Sophos, a global leader in next-generation cybersecurity, has released findings on how attackers are using the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers, paving the way for persistent access and future ransomware attacks.

A new technical paper, “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers,” details the tools and techniques used to compromise the servers and deliver three different backdoors and four cryptominers. The backdoors are possibly delivered by Initial Access Brokers.

Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products. It was reported and patched in December 2021.

“Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos.

RelatedPosts

CFA urges Positive Narratives for Anambra as Wikimedia Anambra Network celebrates One Year

Unlocking Socio-Economic Progress: Early-Stage VC in South Africa

NiRA announces Voting for the 2023 .NG Awards: Celebrating Excellence in Nigeria’s Digital Community

Energy, AI and a Groovy New Tech Demo Area All on the Menu at Africa Tech Festival

Sean Gallagher senior security researcher at Sophos

“Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information.

Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high value target that they can sell on to other attackers, such as ransomware operators.”

The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include:

  • Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors
  • The malicious Sliver backdoor
  • The cryptominers z0Miner, JavaX miner, Jin and Mimu
  • Several PowerShell-based reverse shells that collect device and backup information

Sophos’ analysis revealed that Sliver is sometimes delivered together with Atera and PowerShell profiling scripts and is used to deliver the Jin and Mimu variants of the XMrig Monero miner botnet.

According to Sophos, the attackers are using several different approaches to infect targets. While some of the earlier attacks used Cobalt Strike to stage and execute the cryptominer payloads, the largest wave of attacks that began in mid-January 2022, executed the cryptominer installer script directly from the Apache Tomcat component of the VMware Horizon server. This wave of attacks is ongoing.

Log4Shell Vulnerability

“Sophos’ findings suggest that multiple adversaries are implementing these attacks, so the most important protective step is to upgrade all devices and applications that include Log4J with the patched version of the software.

This includes patched versions of VMware Horizon if organizations use the application in their network,” said Gallagher.

“Log4J is installed in hundreds of software products and many organizations may be unaware of the vulnerability lurking in within their infrastructure, particularly in commercial, open-source or custom software that doesn’t have regular security support.

And while patching is vital, it won’t be enough if attackers have already been able to install a web shell or backdoor in the network.

Defense in depth and acting upon any detection of miners and other anomalous activity is critical to avoid falling victim to such attacks.”

For further information read the article “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers” on Sophos News.

Sophos has closely monitored attack activity related to the Log4Shell vulnerability and has published a number of in depth technical and advisory reports, including Log4Shell Hell – Anatomy of an Exploit Outbreak, Log4Shell Response and Mitigation Recommendations, Inside the Code: How the Log4Shell Exploit Works, and Log4Shell: No Mass Abuse, But No Respite, What Happened?

Additional Resources

  • Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of attackers
  • Further details on the evolving cyberthreat landscape can be found in the Sophos 2022 Threat Report
  • Tactics, techniques, and procedures (TTPs) and more for different types of threats are available on SophosLabs Uncut, which provides Sophos’ latest threat intelligence
  • Information on attacker behaviors, incident reports and advice for security operations professionals is available on Sophos News SecOps
  • Learn more about Sophos’ Rapid Response Service that contains, neutralizes and investigates attacks 24/7
  • The four top tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team

Read the latest security news and views on Sophos’ award-winning news website Naked Security and on Sophos News


Don’t miss important articles during the week. Subscribe to techbuild.africa weekly digest for updates.

Join @techbuildafrica on Telegram
Tweet
Share
Share
ShareTweetShareSendShare

Subscribe us

Recent Posts

  • Nigerian SMB? Apply for Google Hustle Academy Fund (₦75 Million)
  • AI for Health: 5 African Companies make Google for Startups Growth Academy Selection
  • CFA urges Positive Narratives for Anambra as Wikimedia Anambra Network celebrates One Year
  • CIC partners ChipLab to drive Nigeria’s Microchip Industry
  • Root secures $1.5M from Invenfin to accelerate Expansion Plans
  • AfriLabs Annual Gathering 2023: Key Players set to Drive Africa’s Digital Economy
  • Unlocking Socio-Economic Progress: Early-Stage VC in South Africa
  • Young Nigerian Innovator? Apply for IMC Go-to-Talent Challenge ($10K)
  • NiRA announces Voting for the 2023 .NG Awards: Celebrating Excellence in Nigeria’s Digital Community
  • Anambra ICT Agency MD to Keynote Bossladylaw Business Challenge
Innovation | Startups | Funding | Tech Blog in Africa

© 2013-2021 techbuild.africa. All Rights Reserved.

Navigate Site

  • About
  • Contact
  • WE-Forum
  • Privacy
  • Sitemap
  • Terms
  • Blockchain
  • CleanTech

Follow Us

No Result
View All Result
  • Home
  • Startups
  • Hubs
  • Funding
  • WomenTech
  • CleanTech
  • Blockchain

© 2013-2021 techbuild.africa. All Rights Reserved.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In