Microsoft has confirmed that suspected China-based cyber criminals are targeting the Log4j 'Log4Shell' flaw in VMware's Horizon product to install NightSky, a new ransomware strain that emerged on December 27.
The financially motivated ransomware attacks target CVE-2021-44228, the original Log4Shell flaw disclosed on December 9, and mark one new threat posed by the critical vulnerability that affects internet-facing software, systems and devices where vulnerable versions of the Java-based Log4j application error-logging component are present.
"As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware," Microsoft notes in an update to its recommendations for mitigating Log4Shell.
SEE:Log4j zero-day flaw: What you need to know and how to protect yourself
Microsoft's findings add more details to a report last week from the digital arm of the UK's National Health Service (NHS) that attackers are targeting VMware's Horizon server software that use vulnerable versions of Log4j. That report noted attackers installed a malicious Java file that injects a web shell into the VM Blast Secure Gateway service, but it didn't indicate whether ransomware was deployed.
Horizon is one of a number of VMware's software products affected by Log4j flaws. The case demonstrates the difficulties admins face in identifying systems affected by Log4j. VMware has detailed which versions of Horizon components are or are not vulnerable, and the different remediation steps for each if they are vulnerable.
Its advisory indicates that at least one version of each Horizon on-premise component is vulnerable. Vulnerable on-premise components include Connection Server and HTML Access, the Horizon Windows Agent, Linux Agent, Linux Agent Direct Connect, Cloud Connector, and vRealize Operations for Desktop Agent. VMware has released updated versions or provided scripted mitigation workarounds.
Microsoft says the attacks are being performed by a China-based ransomware operator it's tracking as DEV-0401, which has previously deployed LockFile, AtomSilo, and Rook. The group has also exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473), according to Microsoft.
According to BleepingComputer, malware researchers at MalwareHunterTeam identified NightSky as a new ransomware group on December 27.
However, Czech-based malware analyst Ji?