www.zdnet.com
Open in
urlscan Pro
2a04:4e42:4d::666
Public Scan
Submitted URL: https://t.co/wzq4KPjrzf
Effective URL: https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-servers-with-backdoors-crypto-miners/
Submission: On April 04 via api from US — Scanned from DE
Effective URL: https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-servers-with-backdoors-crypto-miners/
Submission: On April 04 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://www.zdnet.com/search/
<form class="header-search" method="get" action="https://www.zdnet.com/search/">
<label for="header-search-field" class="hidden">What are you looking for?</label>
<input type="search" id="header-search-field" title="query" autocomplete="off" placeholder="What are you looking for?" tabindex="1" name="q" value="" class="smart-search-input">
<button type="submit" class="search-button" data-omniture-track="moduleClick" data-omniture-track-data="{"moduleInfo": "Header-Search", "pageType": "article"}"> Go </button>
</form><form class="modal fixed show">
<div class="_start active">
<div class="info">
<p class="description">Please review our terms of service to complete your newsletter subscription.</p>
</div>
<label class="terms all-tos">
<input type="checkbox" name="user[tos]" required="required" value="1">
<span class="checkbox"></span>
<span class="terms-of-service">
<p> You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By joining ZDNet, you agree to our
<a href="https://redventures.com/CMG-terms-of-use.html" target="_blank" rel="noopener noreferrer" data-component="externalLink">Terms of Use</a> and
<a href="https://redventures.com/privacy-policy.html" target="_blank" rel="noopener noreferrer" data-component="externalLink">Privacy Policy</a>. </p>
</span>
</label>
<label class="terms gdpr-tos">
<input type="checkbox" name="user[firstPartyOptIn]" value="1">
<span class="checkbox"></span>
<span class="terms-of-service">
<p> You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the
<a href="https://redventures.com/CMG-terms-of-use.html" target="_blank" rel="noopener noreferrer" data-component="externalLink">Terms of Use</a> and acknowledge the data collection and usage practices outlined in our
<a href="https://redventures.com/privacy-policy.html" target="_blank" rel="noopener noreferrer" data-component="externalLink">Privacy Policy</a>. </p>
</span>
</label>
<button>Continue</button>
<div class="alert-error">
<div class="required-error">
<div class="warning-label"></div>
</div>
</div>
</div>
</form>Name: newsletterWidgetForm-3329 — POST https://www.zdnet.com/newsletter/xhr/widget-register/
<form class="newsletterWidgetForm" id="newsletterWidgetForm-3329" name="newsletterWidgetForm-3329" action="https://www.zdnet.com/newsletter/xhr/widget-register/" data-user-submit="newsletterWidgetForm" method="POST">
<input type="hidden" id="authentication_csrf" name="csrf" value="1YKAUqNb82XO_LnkV6LRnoS5pgU0JnvA_9EFVIo4IAs">
<input type="hidden" id="newsletter_registration_form_newsletter" name="newsletter_registration_form[newsletter]" required="required" value="e566">
<div class="mmode mmode-nls">
<label class="checkbox">
<b>ZDNet Security</b> Your weekly update on security around the globe, featuring research, threats, and more. </label>
<label class="hidden required" for="newsletter_registration_form_email">Email Address</label>
<input type="email" id="newsletter_registration_form_email" name="newsletter_registration_form[email]" required="required" data-validate="email" placeholder="Your email address">
<button type="submit" id="newsletter_registration_form_submit" name="newsletter_registration_form[submit]" class="btn btn-primary">Subscribe</button>
</div>
</form>Text Content
* *
* Trending
* Multiple hacking groups are using the war in Ukraine
* State-backed hacking attacks are a big worry
* Chromebooks are getting these new features soon
* Microsoft: The Windows Update policies to use
* The best Macs
* How to listen to people
* Best Windows laptops
* Best iPhone deals now
* Best budget TVs
* What 5G means for you
* ZDNet Recommends
* ZDNet Academy
* Innovation
* See all Innovation
* Services & Software
* Operating Systems
* Web Hosting
* Open Source
* 5G
* Computing
* Laptops
* Tablets
* Quantum Computing
* Makers
* Servers
* Transportation
* Electric Vehicles
* Wearables
* AR + VR
* Headphones
* Smart Watches
* AI & Robotics
* Space
* Metaverse
* Smartphones
* iPhone
* Mobile Accessories
* Security
* See all Security
* VPN
* Cyber Threats
* Password Manager
* Ransomware
* Business
* See all Business
* Smart Cities
* Edge Computing
* Cloud
* E-Commerce
* Virtualization
* Internet of Things
* IT Priorities
* Data Management
* Developer
* Legal
* Data Centers
* SMB
* Startups
* CXO
* Enterprise Software
* Companies
* Apple
* Google
* Microsoft
* Amazon
* Samsung
* Finance
* See all Finance
* Blockchain
* Credit Cards
* Taxes
* Banking
* Education
* See all Education
* Business & Management
* Computers & Tech
* Science & Engineering
* Bootcamps
* MBA
* Home & Office
* See all Home & Office
* Smart Home
* Home Security
* Smart Assistants
* Smart Lighting
* Smart Office
* Office Furniture
* Office Hardware & Appliances
* Home Entertainment
* Speakers
* Networking
* Broadband
* Mobile Carriers
* Home Networking
* Kitchen & Household
* Yard & Outdoors
* Energy
* Sustainability
* More
* See all Topics
* International
* China
* EU
* United Kingdom
* New Zealand
* India
* Singapore
* Korea
* Australia
* Japan
* Hong Kong
* Government
* Government: US
* Government: UK
* Government: AU
* Government: Asia
* ZDNet Recommends
* Deals
* Newsletters
* Videos
* Reviews
* Galleries
*
*
* Trending
* Multiple hacking groups are using the war in Ukraine
* State-backed hacking attacks are a big worry
* Chromebooks are getting these new features soon
* Microsoft: The Windows Update policies to use
* The best Macs
* How to listen to people
* Best Windows laptops
* Best iPhone deals now
* Best budget TVs
* What 5G means for you
* ZDNet Recommends
* ZDNet Academy
* Innovation
* Services & Software
* Operating Systems
* Web Hosting
* Open Source
* 5G
* Computing
* Laptops
* Tablets
* Quantum Computing
* Makers
* Servers
* Transportation
* Electric Vehicles
* Wearables
* AR + VR
* Headphones
* Smart Watches
* AI & Robotics
* Space
* Metaverse
* Smartphones
* iPhone
* Mobile Accessories
See all Innovation
* Security
* VPN
* Cyber Threats
* Password Manager
* Ransomware
See all Security
* Business
* Smart Cities
* Edge Computing
* Cloud
* E-Commerce
* Virtualization
* Internet of Things
* IT Priorities
* Data Management
* Developer
* Legal
* Data Centers
* SMB
* Startups
* CXO
* Enterprise Software
* Companies
* Apple
* Google
* Microsoft
* Amazon
* Samsung
See all Business
* Finance
* Blockchain
* Credit Cards
* Taxes
* Banking
See all Finance
* Education
* Business & Management
* Computers & Tech
* Science & Engineering
* Bootcamps
* MBA
See all Education
* Home & Office
* Smart Home
* Home Security
* Smart Assistants
* Smart Lighting
* Smart Office
* Office Furniture
* Office Hardware & Appliances
* Home Entertainment
* Speakers
* Networking
* Broadband
* Mobile Carriers
* Home Networking
* Kitchen & Household
* Yard & Outdoors
* Energy
* Sustainability
See all Home & Office
* More
* International
* China
* EU
* United Kingdom
* New Zealand
* India
*
* Singapore
* Korea
* Australia
* Japan
* Hong Kong
* Government
* Government: US
* Government: UK
* Government: AU
* Government: Asia
* ZDNet Recommends
* Deals
* Newsletters
* Videos
* Reviews
* Galleries
See all Topics
*
* * Asia
* Australia
* Europe
* India
* United Kingdom
* United States
* ZDNet France
* ZDNet Germany
* ZDNet Korea
* ZDNet Japan
* What are you looking for? Go
* Join / Log In
* Account
* Preferences
* Community
* Newsletters
* Log Out
must read: Google: Multiple hacking groups are using the war in Ukraine as a
lure in phishing attempts
LOG4SHELL EXPLOITED TO INFECT VMWARE HORIZON SERVERS WITH BACKDOORS, CRYPTO
MINERS
Three backdoors and four miners have been detected in new attacks.
*
*
*
*
*
*
*
Written by Charlie Osborne, Contributor
Charlie Osborne Contributor
Charlie Osborne is a cybersecurity journalist and photographer who writes for
ZDNet and CNET from London.
Full Bio
Posted in Zero Day on March 29, 2022 | Topic: Security
The Log4Shell vulnerability is being actively exploited to deliver backdoors and
cryptocurrency miners to vulnerable VMware Horizon servers.
On Tuesday, Sophos cybersecurity researchers said the attacks were first
detected in mid-January and are ongoing. Not only are backdoors and
cryptocurrency miners being deployed, but in addition, scripts are used to
gather and steal device information.
Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The
unauthenticated remote code execution (RCE) vulnerability was made public in
December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0.
Researchers have warned that Log4Shell is likely to continue for years,
especially considering the bug's simple exploitation.
Microsoft previously detected Log4Shell attacks conducted by state-sponsored
cybercriminals, but most appear to focus on cryptocurrency mining, ransomware,
and bot activities. A patch was released in December 2021, but as is often the
case with internet-facing servers, many systems have not been updated.
According to Sophos, the latest Log4Shell attacks target unpatched VMware
Horizon servers with three different backdoors and four cryptocurrency miners.
The attackers behind the campaign are leveraging the bug to obtain access to
vulnerable servers. Once they have infiltrated the system, Atera agent or
Splashtop Streamer, two legitimate remote monitoring software packages, may be
installed, with their purpose twisted into becoming backdoor surveillance tools.
The other backdoor detected by Sophos is Silver, an open source offensive
security implant released for use by pen testers and red teams.
Sophos says that four miners are linked to this wave of attacks: z0Miner, JavaX
miner, Jin, and Mimu, which mine for Monero (XMR). Previously, Trend Micro found
z0Miner operators were exploiting the Atlassian Confluence RCE (CVE-2021-26084)
for cryptojacking attacks.
SECURITY
Cyber security 101: Protect your privacy from hackers, spies, and the government
Simple steps can make the difference between losing your online accounts or
maintaining what is now a precious commodity: Your privacy.
Read More
A PowerShell URL connected to this both campaigns suggests there may also be a
link, although that is uncertain.
"While z0Miner, JavaX, and some other payloads were downloaded directly by the
web shells used for initial compromise, the Jin bots were tied to the use of
Sliver, and used the same wallets as Mimo -- suggesting these three malware
[strains] were used by the same actor," the researchers say.
In addition, the researchers uncovered evidence of reverse shell deployment
designed to collect device and backup information.
"Log4J is installed in hundreds of software products and many organizations may
be unaware of the vulnerability lurking in within their infrastructure,
particularly in commercial, open-source or custom software that doesn't have
regular security support," commented Sean Gallagher, Sophos senior security
researcher. "And while patching is vital, it won't be enough if attackers have
already been able to install a web shell or backdoor in the network."
PREVIOUS AND RELATED COVERAGE
* Log4j update: Experts say log4shell exploits will persist for 'months if not
years'
* Log4j flaw: Attackers are targeting Log4Shell vulnerabilities in VMware
Horizon servers, says NHS
* Log4Shell flaw: Still being used for crypto mining, botnet building... and
Rickrolls
--------------------------------------------------------------------------------
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or
over at Keybase: charlie0
--------------------------------------------------------------------------------
SECURITY
* Using Russian tech? Look at the risks again
* Hundreds more packages found in malicious npm 'factory'
* The 5 best VPN services compared
* Apple updates macOS, iOS, and iPadOS to fix possibly exploited zero-day flaws
* Is it safe to use text messages for 2-factor authentication?
Show Comments
LOG IN TO COMMENT
* My Profile
* Log Out
| Community Guidelines
JOIN DISCUSSION FOR: LOG4SHELL EXPLOITED TO INFECT VMWARE HORIZON...
Add Your Comment
Add Your Comment
RELATED
*
*
*
*
*
* Chinese hackers Deep Panda return with Log4Shell exploits, new Fire Chili
rootkit
* Sophos patches critical remote code execution vulnerability in Firewall
* CISA: Here are 66 more security flaws actively being used by hackers - so get
patching
* Best OLED TV 2022: The crown jewel of home theaters
* Best Discover credit cards of 2022
* Best high-limit credit card 2022: Big spender
* Best Mastercard credit card 2022: Ditch your Visa
* Best no annual fee credit card 2022: Save your money
* Best US Bank credit card 2022: Which is right for you?
Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions, and alerts from ZDNet.com. You may
unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and
Privacy Policy.
You agree to receive updates, promotions, and alerts from ZDNet.com. You may
unsubscribe at any time. By signing up, you agree to receive the selected
newsletter(s) which you may unsubscribe from at any time. You also agree to the
Terms of Use and acknowledge the data collection and usage practices outlined in
our Privacy Policy.
Continue
NEWSLETTERS
You have been successfully signed up. To sign up for more newsletters or to
manage your account, visit the Newsletter Subscription Center.
ZDNet Security Your weekly update on security around the globe, featuring
research, threats, and more. Email Address Subscribe
See All
See All
ZDNet
Connect with us
© 2022 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy |
Cookie Settings | Advertise | Terms of Use
* Topics
* Galleries
* Videos
* Sponsored Narratives
* Do Not Sell My Information
* About ZDNet
* Meet The Team
* Blogs
* RSS Feeds
* Site Map
* Reprint Policy
* Manage | Log Out
* Join | Log In
* Membership
* Newsletters
* Site Assistance
* ZDNet Academy
Cookie Settings
We use cookies and similar technologies to understand how you use our services,
improve your experience and serve you personalized content and advertising. By
clicking "Accept All", you accept all cookies. By clicking "Reject All", you
reject all cookies except Strictly Necessary cookies. To manage your cookies and
learn more about our use of cookies click “Cookie Settings”.Learn more.
Cookie Settings Reject All Accept All