


But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz.

Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers.

On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency. In addition, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information.On Friday, ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. A PowerShell URL connected to this both campaigns suggests there may also be a link, although that is uncertain. Previously, Trend Micro found z0Miner operators were exploiting the Atlassian Confluence RCE (CVE-2021-26084) for cryptojacking attacks. Sophos says that four miners are linked to this wave of attacks: z0Miner, JavaX miner, Jin, and Mimu, which mine for Monero (XMR). The other backdoor detected by Sophos is Silver, an open source offensive security implant released for use by pen testers and red teams. Once they have infiltrated the system, Atera agent or Splashtop Streamer, two legitimate remote monitoring software packages, may be installed, with their purpose twisted into becoming backdoor surveillance tools. The attackers behind the campaign are leveraging the bug to obtain access to vulnerable servers. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0.Īccording to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. Log4Shell is a critical vulnerability in Apache Log4J Java logging library. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. An anonymous reader quotes a report from ZDNet: The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers.
