Application Security , Business Continuity Management / Disaster Recovery , Cybercrime
Report: Access Broker Exploiting VMware Log4j Vulnerability
BlackBerry Researchers Detect Signs of Access Broker Group 'Prophet Spider IAB'The risks posed by Apache Log4j continue, as a previously seen initial access broker group with the codename Prophet Spider IAB appears to be targeting vulnerabilities in the logging utility to infiltrate the virtualization solution VMware Horizon, researchers at BlackBerry warn.
See Also: Gartner Guide for Digital Forensics and Incident Response
VMware released a patch to fix the Log4j remote code execution flaw present in its software last December and has issued guidance on mitigation. But in its new report, BlackBerry says its security research team has tracked cryptomining software and Cobalt Strike deployments on Horizon. The latter tool is marketed as "software for adversary simulations and red team operations," but attackers regularly use cracked copies of the tool to build botnets.
BlackBerry also says tactics, techniques and procedures related to Prophet Spider IAB - which is known to sell network access to other criminals, including ransomware gangs - have been spotted.
The online crime group Prophet Spider has been active since at least May 2017 and primarily gains access to victim organizations by compromising vulnerable web servers, cybersecurity firm CrowdStrike reports. The gang employs low-prevalence tools to achieve operational objectives, including remote access, it says.
Log4j Concerns
The flaw in the Java-based logging utility Log4j, which can be exploited to remotely execute code, was first reported on Dec. 9, 2021, after allegedly being detected by Alibaba's cloud security unit. The nonprofit Apache Software Foundation, which manages Apache's open-source projects, has continued to release semi-regular updates for the logging library.
Warnings - including from the U.K. National Health Service - over the Log4j flaw being present in VMware Horizon have been circulating for weeks, and threat actors have reportedly been exploiting the flaw to establish persistent access (see: Log4Shell Update: VMware Horizon Targeted).
And BlackBerry researchers Codi Starks, Ryan Gibson and Will Ikard, in a new report, continue to warn about the danger posed by Log4Shell vulnerabilities, citing the logging utility's "popularity in many applications (including VMware), combined with the severity of the exploit."
They warn that despite VMware's patch and subsequent guidance, "many implementations remain unpatched, leaving them susceptible to exploitation."
Watch for Cryptominers, Cobalt Strike
The BlackBerry researchers say attackers most commonly use encoded PowerShell commands to download a second-stage payload to victimized systems, after using the Log4j flaw to first gain access.
They warn that in some cases, the threat actors also attempted to use the curl.exe binary file to download additional files to the system and to execute the downloaded content using the Windows Subsystem for Linux Bash utility.
They say multiple cryptominers were identified after successful exploitation and in one case, PowerShell was used to download and execute the "xms.ps1" file containing a cryptominer.
The researchers say the script then created a Scheduled Task to establish persistence and to store command-and-control and wallet configurations.
The cybersecurity firm also "discovered instances where a web shell file was injected into absg-worker.js, and the VMBlastSG service restarted to allow for connections to the web shell."
BlackBerry calls the threat actors in these cases "tidy" - citing the cleanup actions they took following miner installation. They also confirm that the actors, in some cases, downloaded and installed Cobalt Strike beacons.
'Prophet Spider'
Starks, Gibson and Ikard write of access-broker discovery: "One of the indicators that helped us attribute the event to [Prophet Spider] was their use of the C:WindowsTemp7fde folder path to store malicious files. The threat actor also downloaded a copy of the wget.bin executable, which has historically been used by the group to get additional files onto infected hosts."
The researchers say the attackers then attempted to enumerate information about the network and domain and ultimately harvest credentials from the registry.
Commenting on the findings, a VMware spokesperson tells Information Security Media Group: "The security of our customers is a top priority ... and we continue to urge customers to apply the latest guidance in our security advisory, VMSA-2021-0028, to resolve critical Apache Log4j vulnerabilities. Any service connected to the internet and not yet patched for critical Log4j vulnerabilities is vulnerable, and VMware strongly recommends that customers managing on-premises deployments of VMware Horizon take affirmative steps to apply the available guidance in our security advisory."
One security expert says these findings demonstrate how initial access brokers continue to be on the front lines of network intrusion.
"[They] leverage any opportunity to gain access to an organization. They must maintain that access as they sell it and hand it off to the buyer," says Jorge Orchilles, CTO for the adversary emulation platform and security consultancy Scythe. "Today the exploit is Log4. Tomorrow it will be another. As defenders, we want to be able to detect and respond to the inevitable exploit that will one day break through our protection."
Value in Exploitation
The BlackBerry researchers say that this particular access broker is only one of many groups that will be targeting the Log4j flaws. "When an initial access broker group takes interest in a vulnerability whose scope may never be known, this gives us a good indication that they see significant value in its exploitation," they say. "It's likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability in the near future."
Unfortunately, this state of affairs looks set to persist indefinitely, Tony Lee, BlackBerry's vice president of global services for technical operations, tells ISMG. "The biggest takeaway [here] is that this vulnerability is the perfect storm and we may never see an end to it," he says. "The hosts are easily accessible because they often sit directly exposed to the internet. It is a gold mine - in cryptocurrency - for those threat actors who can automate discovery, exploit and payload delivery."
Vulnerability Spotted in Log4j Search
Last week, researchers at Microsoft tracking Log4j exploits discovered a previously undisclosed vulnerability in SolarWinds' Serv-U software, which the firm has since confirmed and patched (see: Microsoft Finds SolarWinds Vulnerability Amid Log4j Search).
Jonathan Bar, a security researcher with the tech giant, outlined the findings via Twitter, noting that attackers "could feed Ssrv-U with data and it'll build a LDAP query with your unsanitized input! This could be used for Log4j attack attempts, but also for LDAP injection."
Bar confirmed that SolarWinds immediately addressed the issue.
Microsoft later issued a report expanding on the findings, saying the vulnerability has been designated CVE-2021-35247.
SolarWinds has also issued its own advisory and confirmed that "no downstream affect has been detected as the LDAP servers ignored improper characters." It urged customers to update to the latest version - 15.3 - of Serv-U to remediate the flaw.
Update (Jan. 26, 7 p.m. ET): This story has been updated to include commentary from BlackBerry's Tony Lee.