By using this site, you agree to the Privacy Policy and Terms & Conditions.
Accept
Okay.ngOkay.ngOkay.ng
Font ResizerAa
  • News
    • Politics
  • Entertainment
  • Business & Economy
  • Sport
  • Tech
Reading: Sophos finds three backdoors, possibly delivered by initial access brokers, and four cryptominers targeting unpatched VMware Horizon Servers
Share
Font ResizerAa
Okay.ngOkay.ng
  • News
  • Entertainment
  • Business & Economy
  • Sport
  • Tech
Search
  • News
    • Politics
  • Entertainment
  • Business & Economy
  • Sport
  • Tech
Follow US
  • About Okay.ng
  • Advertising on Okay.ng
  • Contact Okay.ng
  • Careers
  • Meet the Team behind Okay.ng
  • Ownership and Funding of Okay.ng
  • Editorial Principles at Okay.ng
© OKN MEDIA PUBLISHING 2022 - All rights reserved
Featured

Sophos finds three backdoors, possibly delivered by initial access brokers, and four cryptominers targeting unpatched VMware Horizon Servers

Okay.ng
By Okay.ng
Published: April 2, 2022
Share
5 Min Read
SHARE

Sophos, a global leader in next-generation cybersecurity, today released findings on how attackers are using the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers, paving the way for persistent access and future ransomware attacks.

A new technical paper, “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers,” details the tools and techniques used to compromise the servers and deliver three different backdoors and four cryptominers.

The backdoors are possibly delivered by Initial Access Brokers.

Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products.

- Advertisement -

It was reported and patched in December 2021.

“Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos. “Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information. Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high value target that they can sell on to other attackers, such as ransomware operators.”

The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include:

- Advertisement -

  • Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors
  • The malicious Sliver backdoor
  • The cryptominers z0Miner, JavaX miner, Jin and Mimu
  • Several PowerShell-based reverse shells that collect device and backup information

Sophos’ analysis revealed that Sliver is sometimes delivered together with Atera and PowerShell profiling scripts and is used to deliver the Jin and Mimu variants of the XMrig Monero miner botnet.

According to Sophos, the attackers are using several different approaches to infect targets. While some of the earlier attacks used Cobalt Strike to stage and execute the cryptominer payloads, the largest wave of attacks that began in mid-January 2022, executed the cryptominer installer script directly from the Apache Tomcat component of the VMware Horizon server. This wave of attacks is ongoing.

“Sophos’ findings suggest that multiple adversaries are implementing these attacks, so the most important protective step is to upgrade all devices and applications that include Log4J with the patched version of the software. This includes patched versions of VMware Horizon if organizations use the application in their network,” said Gallagher. “Log4J is installed in hundreds of software products and many organizations may be unaware of the vulnerability lurking within their infrastructure, particularly in commercial, open-source or custom software that doesn’t have regular security support. And while patching is vital, it won’t be enough if attackers have already been able to install a web shell or backdoor in the network. Defense in depth and acting upon any detection of miners and other anomalous activity is critical to avoid falling victim to such attacks.”

For further information read the article “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers” on Sophos News.

Sophos has closely monitored attack activity related to the Log4Shell vulnerability and has published a number of in depth technical and advisory reports, including  Log4Shell Hell – Anatomy of an Exploit Outbreak, Log4Shell Response and Mitigation Recommendations, Inside the Code: How the Log4Shell Exploit Works, and Log4Shell: No Mass Abuse, But No Respite, What Happened?

Sophos is a worldwide leader in next-generation cybersecurity, protecting more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats.

Powered by threat intelligence, AI and machine learning from SophosLabs and SophosAI, Sophos delivers a broad portfolio of advanced products and services to secure users, networks and endpoints against ransomware, malware, exploits, phishing and the wide range of other cyberattacks. 

Sophos provides a single integrated cloud-based management console, Sophos Central – the centerpiece of an adaptive cybersecurity ecosystem that features a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity vendors.

Sophos sells its products and services through reseller partners and managed service providers (MSPs) worldwide.

Stay Updated on the Go with Our Latest News—Join Our WhatsApp Channel Now!
TAGGED:Sophos
Share This Article
Facebook Whatsapp Whatsapp Telegram Email Copy Link Print
ByOkay.ng
Follow:
Okay.ng launched under OKN MEDIA PUBLISHING (RC Number: 2993580) in the year 2012 is an independent digital news platform with thousands of page views and unique visitors every month
Previous Article Tinuade Sanda Eko DisCo gets first female MD
Next Article Augustine Eguavoen Eguavoen steps down as Super Eagles coach with immediate effect

Connect with Okay on Social

FacebookLike
XFollow
InstagramFollow
TelegramFollow

Dollar/Naira Rates

Dollar to Naira Exchange Rate

Okay.ng Logo
Buy Rate ₦1,605.00
Sell Rate ₦1,620.00

Last updated: 6 days ago (June 3, 2025 2:33 pm)

Displayed rates are for informational purposes only and are subject to change.

USD/NGN Converter

- Advertisement -
- Advertisement -
Ad imageAd image
- Advertisement -
Ad imageAd image

Recent Posts

Portugal Edge Spain on Penalties to Clinch Second UEFA Nations League Title
Sport
Tinubu Mourns Seasoned Administrator, Fidelis Kaigama
News
Minister Hanatu Musawa Highlights President Tinubu’s Vision for Nigeria’s Cultural Renaissance at Ojude Oba Festival
News
Tinubu Declares Reconciliation with Sanwo-Olu, Forgives Past Differences
News Top stories
JUST IN: Osimhen Turns Down €75m Al Hilal Move, Keeps European Options Open
Sport Top stories
- Advertisement -
Ad imageAd image

You May Also Like

Lucky Orimisan Aiyedatiwa
News

Ondo PDP Accuses Governor Aiyedatiwa of Abandoning Late Akeredolu’s Projects Amid Political Tensions

Oluwadara Akingbohungbe
Oluwadara Akingbohungbe
June 8, 2025
News

Governor Dapo Abiodun Honors Ijebu Heritage at Ojude Oba Festival

Oluwadara Akingbohungbe
Oluwadara Akingbohungbe
June 8, 2025
News

FG Declares Thursday Public Holiday for 2025 Democracy Day

Muhammad A. Aliyu
Muhammad A. Aliyu
June 8, 2025
Okay.ngOkay.ng
Follow US
© OKN MEDIA PUBLISHING 2025 - All rights reserved
  • About Okay.ng
  • Advertising on Okay.ng
  • Contact Okay.ng
  • Careers
  • Meet the Team behind Okay.ng
  • Ownership and Funding of Okay.ng
  • Editorial Principles at Okay.ng
adbanner
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?