Initial Access Broker Involved in Log4Shell Attacks Against VMware Horizon Servers

An initial access broker group tracked as Prophet Spider has been linked to a set of malicious activities that exploits the Log4Shell vulnerability in unpatched VMware Horizon Servers.

According to new research published by BlackBerry Research & Intelligence and Incident Response (IR) teams today, the cybercrime actor has been opportunistically weaponizing the shortcoming to download a second-stage payload onto the victimized systems.

The payloads observed include cryptocurrency miners, Cobalt Strike Beacons, and web shells, corroborating a previous advisory from the U.K. National Health Service (NHS) that sounded the alarm on active exploitation of the vulnerabilities in VMware Horizon servers to drop malicious web shells and establish persistence on affected networks for follow-on attacks.

Log4Shell is a moniker used to refer to an exploit affecting the popular Apache Log4j library that results in remote code execution by logging a specially crafted string. Since public disclosure of the flaw last month, threat actors have been quick to operationalize this new attack vector for a variety of intrusion campaigns to gain full control of affected servers.

BlackBerry said it observed instances of exploitation mirroring tactics, techniques, and procedures (TTPs) previously attributed to the Prophet Spider eCrime cartel, including the use of “C:WindowsTemp7fde” folder path to store malicious files and “wget.bin” executable to fetch additional binaries as well as overlaps in infrastructure used by the group.

“Prophet Spider primarily gains access to victims by compromising vulnerable web servers, and uses a variety of low-prevalence tools to achieve operational objectives,” CrowdStrike noted in August 2021, when the group was spotted actively exploiting flaws in Oracle WebLogic servers to gain initial access to target environments.

Like with many other initial access brokers, the footholds are sold to the highest bidder on underground forums located in the dark web, who then exploit the access for ransomware deployment. Prophet Spider is known to be active since at least May 2017.

This is far from the first time internet-facing systems running VMware Horizon have come under attack using Log4Shell exploits. Earlier this month, Microsoft called out a China-based operator tracked as DEV-0401 for deploying a new ransomware strain called NightSky on the compromised servers.

The onslaught against Horizon servers has also prompted VMware to urge its customers to apply the patches immediately. “The ramifications of this vulnerability are serious for any system, especially ones that accept traffic from the open Internet,” the virtualization services provider cautioned.

“When an access broker group takes interest in a vulnerability whose scope is so unknown, it’s a good indication that attackers see significant value in its exploitation,” Tony Lee, vice president of global services technical operations at BlackBerry, said.

“It’s likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability, so it’s an attack vector against which defenders need to exercise constant vigilance,” Lee added.