BlackBerry security researchers conclude that hacking group Prophet Spider is actively exploiting a Log4j vulnerability in unpatched VMware Horizon servers.

In December 2021, VMware published a patch to fix a Log4j vulnerability in VMware Horizon. A month later, a UK government security team warned that hackers were actively exploiting VMware Horizon servers that had not yet been patched.

A new report from BlackBerry confirms the severity of the problem. In the report, BlackBerry claims that Prophet Spider — a notorious initial access broker — is successfully abusing outdated versions of VMware Horizon.

BlackBerry found Cobalt Strike and cryptocurrency mining software in affected servers. According to the organization, attackers’ tactics were similar to Prophet Spider’s methods. Prophet Spider is known to BlackBerry as a vendor of network access to ransomware groups.

The situation at VMware

According to ZDNet, A VMware spokesperson recently revealed that the organization is “working around the clock to patch and provide the necessary guidance for customers to do the same. With SaaS products, the software provider can quickly and efficiently implement security patches. But organizations using on-premises licenses of software products must take their own steps to apply the security patch.”

It’s taking longer than expected. VMware says it is reminding and contacting customers using outdated VMware Horizon versions. According to VMware, some customers are unresponsive. Certain organizations continue to run outdated versions. They remain vulnerable to the attacks confirmed by BlackBerry and the UK government.