Log4J: BlackBerry finds Prophet Spider access broker exploiting VMware Horizon

BlackBerry researchers found evidence correlating attacks from an initial access broker group with the exploitation of the Log4J vulnerability in VMware Horizon.
Written by Jonathan Greig, Contributor

Initial access broker group, Prophet Spider, has been found exploiting the Log4J vulnerability in VMware Horizon, according to a new report from researchers with BlackBerry Research & Intelligence and Incident Response teams.

Even though VMware released a patch in December and has published extensive guidance on how to mitigate the issue, many implementations remain unpatched. 

Tony Lee, vice president of global services technical operations at BlackBerry, told ZDNet that his team has found evidence correlating attacks from Prophet Spider with the exploitation of the Log4J vulnerability in VMware Horizon.

"When an access broker group takes interest in a vulnerability whose scope is so unknown, it's a good indication that attackers see significant value in its exploitation," Lee said. "It's likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability, so it's an attack vector against which defenders need to exercise constant vigilance."

BlackBerry found mass deployments of cryptocurrency mining software and Cobalt Strike beacons but also discovered "an instance of exploitation containing tactics, techniques, and procedures relating to the Prophet Spider IAB."

They noted that the group is known to compromise networks and later sell access to ransomware operators. 

"One of the indicators that helped us attribute the event to this threat group was their use of the C:\Windows\Temp\7fde\ folder path to store malicious files. The threat actor also downloaded a copy of the wget.bin executable, which the group has historically used to get additional files onto infected hosts. The IP used in the download cradle has also been previously attributed to the Prophet Spider group," the researchers wrote. 

Security firms and many other organizations have warned about Log4J vulnerabilities in VMware Horizon since the beginning of the year. The UK's National Health Service (NHS) was one of the first to warn that hackers were attempting to exploit a Log4J vulnerability in VMware Horizon servers to establish web shells that could be used to distribute malware and ransomware, steal sensitive information, and complete other malicious attacks. 

A VMware spokesperson said the company is "working around the clock to patch and provide the necessary guidance for customers to do the same."

"With SaaS products, the company providing the software can quickly and efficiently implement the security patches. But organizations using on-premises licenses of software products must take their own affirmative steps to apply the security patch in their own environment," the company explained. 

VMware said that even with its security alerts and efforts to contact customers directly, they continue to see that some companies have not patched. 

"VMware Horizon products are vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the information provided in our security advisory, VMSA 2021-0028, which was first published on Dec. 10, 2021, and updated regularly with new information" the spokesperson said. 

"Customers who have not applied either the patch or the latest workaround provided in VMware's security advisory are at risk of being compromised-or may have already been compromised-by threat actors who are leveraging the Apache Log4shell vulnerability to compromise unpatched, internet-facing Horizon environments actively. Any time we see vulnerabilities that are as far-reaching as Log4J, it is critical that all impacted users move quickly to implement security responses."

Editorial standards