Initial access broker participates in Log4Shell attacks against VMware Horizon server

An access broker group originally tracked as Prophet Spider has been linked to a set of malicious activities that exploit the vulnerability. Log4Shell in the unpatched VMware Horizon Server.

According to new research published by BlackBerry’s Research & Intelligence and Incident Response (IR) team today, a cybercriminal attacker took the opportunity to weaponize the defect to download the second part onto the device. damaged systems.

The observed payloads included crypto miners, Cobalt Strike Beacons and web shells, corroborating previous advice from the UK’s National Health Service (NHS) that sounded the alarm. about actively exploiting vulnerabilities in VMware Horizon servers to remove malicious web shells and establish persistence on networks affected by subsequent attacks.

Log4Shell is a nickname used to refer to an exploit affecting the popular Apache Log4j library that resulted in the remote code execution by recording a specially crafted string. Since the vulnerability was made public last month, threat actors have been rapidly operating this new attack vector for a series of intrusion campaigns to gain full control of the affected servers.

BlackBerry says it has observed cases of tactics, techniques, and procedures that reflect exploits (TTPs) previously attributed to the Prophet Spider eCrime team, including the use of the “C: Windows Temp 7fde” to host malicious files and “wget .bin” executable to fetch additional binaries as well as overlaps in the infrastructure used by the team.

CrowdStrike noted in August 2021, when this group was found to be actively exploiting vulnerabilities in Oracle’s WebLogic servers to gain access to targeted environments.

Like many early access brokers, footholds are sold to the highest bidders on underground forums located in the dark web, who then exploit access to deploy ransomware. Prophet Spider is known to be active from at least May 2017.

This is not the first time that Internet-based systems running VMware Horizon have been attacked using the Log4Shell exploit. Earlier this month, Microsoft called a China-based operator tracked DEV-0401 to deploy a new strain of ransomware called NightSky on compromised servers.

The onslaught against Horizon servers also prompted VMware to urge its customers to apply patches immediately. The virtualization service provider warned: “The division of this vulnerability is very serious for any system, especially those that accept traffic from the open Internet.”

“When an access broker group is interested in a vulnerability of unknown scope, it is a good sign that attackers see significant value in exploiting it,” said Tony Lee, vice president. President of BlackBerry’s Worldwide Services Engineering Operations, said.

“It’s likely we’ll continue to see criminal groups explore Log4Shell vulnerabilities, so it’s an attack vector that defenders need to exercise constant vigilance on,” Lee added. .

.

.