{"id":45079,"date":"2022-01-27T12:13:00","date_gmt":"2022-01-27T12:13:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/access-broker-found-exploiting-log4j-vulnerability-in-vmware\/"},"modified":"2022-01-27T12:13:00","modified_gmt":"2022-01-27T12:13:00","slug":"access-broker-found-exploiting-log4j-vulnerability-in-vmware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/access-broker-found-exploiting-log4j-vulnerability-in-vmware\/","title":{"rendered":"Access broker found exploiting Log4j vulnerability in VMware"},"content":{"rendered":"
<\/div>\n

A gang of cybercriminals known for breaking into computer systems and selling access to them has been discovered exploiting an Apache Log4j vulnerability, Log4Shell, in  unpatched VMware Horizon to plant cryptominers and backdoors on targeted systems.<\/p>\n

In a blog published Wednesday<\/a>, Blackberry’ researchers Ryan Gibson, Codi Starks and Will Ikard revealed that Prophet Spider was behind the attacks, which could be reliably detected by monitoring ws_TomcatService.exe, the Tomcat service used by VMware Horizon.<\/p>\n

The researchers explained that after exploiting the Log4Shell vulnerability to penetrate a system, the attackers use PowerShell commands to download a second-stage payload. In the case of Prophet Spider, the payloads were primarily cryptocurrency mining software, although in some instances, Cobalt Strike beacons\u2014a kind of system backdoor\u2014were also installed on the computers.<\/p>\n

One of the indicators that helped pin the attacks to Prophet Spider was its use of the C:\\Windows\\Temp\\7fde\\ folder path to store malicious files, the researchers wrote. The threat actor also downloaded a copy of the wget.bin executable, which has historically been used by the group to get additional files onto infected hosts. The IP address used in the download cradle has also been previously attributed to the group.<\/p>\n

Prophet Spider foothold suggests an uptick in exploits<\/strong><\/h2>\n

BlackBerry Vice President of Global Services and Technical Operations Tony Lee explains that initial access brokers like Prophet Spider break into computer systems, establish a foothold, then sell that access to another malicious actor, who will perform tasks such as steal data, move through the system laterally, or infect it with ransomware. “If they find the vulnerability, they’ll exploit it,” he said, “and then wait to see who the highest bidder will be.”<\/p>\n

“Now that they have the capability to gain a foothold in systems, I think we’ll see an uptick in Log4j exploitation,” Lee adds.<\/p>\n