Security News > 2022 > January > Initial Access Broker Involved in Log4Shell Attacks Against VMware Horizon Servers
An initial access broker group tracked as Prophet Spider has been linked to a set of malicious activities that exploits the Log4Shell vulnerability in unpatched VMware Horizon Servers.
The payloads observed include cryptocurrency miners, Cobalt Strike Beacons, and web shells, corroborating a previous advisory from the U.K. National Health Service that sounded the alarm on active exploitation of the vulnerabilities in VMware Horizon servers to drop malicious web shells and establish persistence on affected networks for follow-on attacks.
"Prophet Spider primarily gains access to victims by compromising vulnerable web servers, and uses a variety of low-prevalence tools to achieve operational objectives," CrowdStrike noted in August 2021, when the group was spotted actively exploiting flaws in Oracle WebLogic servers to gain initial access to target environments.
Like with many other initial access brokers, the footholds are sold to the highest bidder on underground forums located in the dark web, who then exploit the access for ransomware deployment.
This is far from the first time internet-facing systems running VMware Horizon have come under attack using Log4Shell exploits.
The onslaught against Horizon servers has also prompted VMware to urge its customers to apply the patches immediately.
News URL
https://thehackernews.com/2022/01/initial-access-broker-involved-in.html
Related news
- Crafting Shields: Defending Minecraft Servers Against DDoS Attacks (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Chilean hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- Hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)