Security News > 2022 > January > Initial Access Broker Involved in Log4Shell Attacks Against VMware Horizon Servers

An initial access broker group tracked as Prophet Spider has been linked to a set of malicious activities that exploits the Log4Shell vulnerability in unpatched VMware Horizon Servers.

The payloads observed include cryptocurrency miners, Cobalt Strike Beacons, and web shells, corroborating a previous advisory from the U.K. National Health Service that sounded the alarm on active exploitation of the vulnerabilities in VMware Horizon servers to drop malicious web shells and establish persistence on affected networks for follow-on attacks.

"Prophet Spider primarily gains access to victims by compromising vulnerable web servers, and uses a variety of low-prevalence tools to achieve operational objectives," CrowdStrike noted in August 2021, when the group was spotted actively exploiting flaws in Oracle WebLogic servers to gain initial access to target environments.

Like with many other initial access brokers, the footholds are sold to the highest bidder on underground forums located in the dark web, who then exploit the access for ransomware deployment.

This is far from the first time internet-facing systems running VMware Horizon have come under attack using Log4Shell exploits.

The onslaught against Horizon servers has also prompted VMware to urge its customers to apply the patches immediately.

News URL

https://thehackernews.com/2022/01/initial-access-broker-involved-in.html