Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely used logging utility. One Sophos customer was hit by both reverse shells and the Mimu miner, but the researchers said that could be multiple infections by different hackers that were initially put in by an initial access broker. The motives of the bad actors using the reverse shells were unclear. There were also a number of backdoors deployed that used the Log4j flaw, including some PowerShell reverse shells. "While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the Jin bots were tied to use of Sliver, and used the same wallets as Mimo – suggesting these three malware were used by the same actor." "There were also several backdoors – including the Sliver implant, Atera agent and Splashtop Streamer (both legitimate software products being abused), and several PowerShell-based reverse shells," the researchers wrote. Many were cryptominers, including z0Miner, JavaX miner and at least two variants of XMRig, called the "Jin" and "Mimu" miner bots. Sophos said it had found a variety of payloads deployed to the targeted Horizon servers. Other hackers didn't use reverse-shell software, instead directly targeting the Tomcat server inside of Horizon. The initial attacks in late December 2021 and January of this year exploiting the Log4j flaw used Cobalt Strike malware. 
That added a web shell that delivered remote access and code execution capabilities to the attackers. "But platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily be found and exploited with well-tested tools."Īccording to Sophos, the attacks on VMware Horizon that started in January used the Lightweight Directory Access Protocol resource call in Log4j for a malicious Java class file that modified legitimate Java code. "Organizations should thoroughly research their exposure to potential Log4J vulnerabilities, as they may impact commercial, open-source and custom software that in some cases may not have regular security support," Szappanos and Gallagher wrote.
0 kommentar(er)
