Access broker found exploiting Log4j vulnerability in VMware

A gang of cybercriminals known for breaking into computer systems and selling access to them has been discovered exploiting an Apache Log4j vulnerability, Log4Shell, in  unpatched VMware Horizon to plant cryptominers and backdoors on targeted systems.

In a blog published Wednesday, Blackberry’ researchers Ryan Gibson, Codi Starks and Will Ikard revealed that Prophet Spider was behind the attacks, which could be reliably detected by monitoring ws_TomcatService.exe, the Tomcat service used by VMware Horizon.

The researchers explained that after exploiting the Log4Shell vulnerability to penetrate a system, the attackers use PowerShell commands to download a second-stage payload. In the case of Prophet Spider, the payloads were primarily cryptocurrency mining software, although in some instances, Cobalt Strike beacons—a kind of system backdoor—were also installed on the computers.

One of the indicators that helped pin the attacks to Prophet Spider was its use of the C:WindowsTemp7fde folder path to store malicious files, the researchers wrote. The threat actor also downloaded a copy of the wget.bin executable, which has historically been used by the group to get additional files onto infected hosts. The IP address used in the download cradle has also been previously attributed to the group.

Prophet Spider foothold suggests an uptick in exploits

BlackBerry Vice President of Global Services and Technical Operations Tony Lee explains that initial access brokers like Prophet Spider break into computer systems, establish a foothold, then sell that access to another malicious actor, who will perform tasks such as steal data, move through the system laterally, or infect it with ransomware. “If they find the vulnerability, they’ll exploit it,” he said, “and then wait to see who the highest bidder will be.”

“Now that they have the capability to gain a foothold in systems, I think we’ll see an uptick in Log4j exploitation,” Lee adds.

Lee acknowledged that it was impossible to determine how many systems had been compromised by the group. “They can take anywhere from a couple of weeks to a month to sell access,” he explains. However, he says the Blackberry Research & Intelligence and Incident Response teams were able to confirm intrusions at multiple organizations.

No individual industry vertical appeared to be in the gang’s crosshairs. “They seem opportunistic,” Lee says. “We haven’t seen a particular vertical being targeted. It’s more along the lines of ‘spray and pray.'”

Many VMware implementations remain unpatched

In their blog post, the Blackberry researchers noted that the exact number of applications—and their various versions—affected by the Log4j vulnerabilities may never be fully known. Although VMware released a patch and mitigation guidance in December 2021 in response to the vulnerability, they explained, many implementations remain unpatched, leaving them susceptible to exploitation.

“It’s difficult for many organizations to scan and patch all their digital assets, even just the external facing ones,” Lee says. “I see organizations struggling with just identifying their assets. If you can’t identify them, then you certainly can’t scan them. And if you can’t scan them, then you can’t have an effective vulnerability management program.”