Log4Shell Vulnerability Actively Used to Inject Malware into VMWare Horizon Servers
The aftershocks of the earthquake caused in the IT security sector by the Log4Shell or Log4j vulnerability that was unearthed in late 2021 are still making waves. Security researchers discovered ongoing attacks targeting VMWare Horizon servers and infecting them with different malware, abusing the infamous vulnerability.
Log4j is the name of the widely used Java-based logging tool that the vulnerability affects. Log4Shell is technically the name of the vulnerability itself, but the terms became interchangeable with Log4j - the name of the software affected by the vulnerability.
Log4Shell, dubbed by security experts the "vulnerability of the decade", received a perfect severity score of 10.0 when it was cataloged.
New campaign spreads cryptominers and backdoors
A research team with security company Sophos is monitoring a new ongoing attack campaign abusing the vulnerability. The targets of the hackers running the attack campaign are VMWare Horizon servers that are still running unpatched software.
The servers, once compromised, are being infected with several different types of backdoors, as well as cryptominer malware.
Once the systems have been compromised using Log4Shell, the hackers install legitimate remote access and viewing tools that are used as backdoors.
There are a handful of cryptominer malicious tools used in those attacks, including JavaX, Jin, z0Miner, and Mimu. There is partial evidence that the ongoing campaign spreading those cryptominers might be connected to an older one that used an older vulnerability.
Alongside the cryptominer and backdoor deployment on the compromised VMWare Horizon servers, researchers also noticed this attack campaign deploying data collection tools. The additional tools deployed in the attacks attempt to scrape backup and system data from the devices.
Log4Shell – the exploit that would not go away
The predictions that Log4Shell will plague IT security for a very long time seem to be coming true. Attackers don't even have to try particularly hard, because due to the huge number of systems running the underlying software used in the exploits, there will likely be unpatched instances for years to come, just like researchers predicted.