deadiop.blogg.se - Miners to infect vmware horizon servers

Sophos’ analysis revealed that Sliver is sometimes delivered together with Atera and PowerShell profiling scripts and is used to deliver the Jin and Mimu variants of the XMrig Monero miner botnet.Īccording to Sophos, the attackers are using several different approaches to infect targets. Several PowerShell-based reverse shells that collect device and backup information.

The cryptominers z0Miner, JavaX miner, Jin and Mimu.

Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors.

The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include: Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high-value target that they can sell on to other attackers, such as ransomware operators.”

“Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information. “Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos.