Microsoft has confirmed that suspected China-based cyber criminals are targeting the Log4j ‘Log4Shell’ flaw in VMware’s Horizon product to install NightSky, a new ransomware strain that emerged on December 27.
The financially motivated ransomware attacks target CVE-2021-44228, the original Log4Shell flaw disclosed on December 9, and mark one new threat posed by the critical vulnerability that affects internet-facing software, systems and devices where vulnerable versions of the Java-based Log4j application error-logging component are present.
“As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware,” Microsoft notes in an update to its recommendations for mitigating Log4Shell.
Microsoft’s findings add more details to a report last week from the digital arm of the UK’s National Health Service (NHS) that attackers are targeting VMware’s Horizon server software that use vulnerable versions of Log4j. That report noted attackers installed a malicious Java file that injects a web shell into the VM Blast Secure Gateway service, but it didn’t indicate whether ransomware was deployed.
Horizon is one of a number of VMware’s software products affected by Log4j flaws. The case demonstrates the difficulties admins face in identifying systems affected by Log4j. VMware has detailed which versions of Horizon components are or are not vulnerable, and the different remediation steps for each if they are vulnerable.
Its advisory indicates that at least one version of each Horizon on-premise component is vulnerable. Vulnerable on-premise components include Connection Server and HTML Access, the Horizon Windows Agent, Linux Agent, Linux Agent Direct Connect, Cloud Connector, and vRealize Operations for Desktop Agent. VMware has released updated versions or provided scripted mitigation workarounds.
Microsoft says the attacks are being performed by a China-based ransomware operator it’s tracking as DEV-0401, which has previously deployed LockFile, AtomSilo, and Rook. The group has also exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473), according to Microsoft.
However, Czech-based malware analyst Jiří Vinopal, who published an analysis of NightSky on GitHub today, argues NightSky is just a new version of Rook ransomware with a few key design and encryption changes, including that NightSky is delivered as a VMProtect file.
BleepingComputer notes that NightSky is using “double extortion”, where the attacker not only encrypts a target’s data but steals it and threatens to leak it if a ransom is not paid. One victim received an $800,000 ransom demand for a NightSky decryptor.
As ZDNet reported, the US Cybersecurity and Infrastructure Security Agency (CISA) on Monday said it had not seen Log4Shell exploitation result in significant intrusions beyond the attack on the Belgian Defense Ministry.
However, it also warned the lack of significant intrusions was no reason to reduce the urgency of remediation. Attackers who have already exploited targets can lay low for months afterwards, waiting for defenders to drop their guard before moving on their new access.
And big penalties might await firms that don’t apply available patches if vulnerable systems expose consumer data. The FTC last week warned it would come after private sector firms that failed to protect consumer data exposed as a result of Log4j.
CISA’s assessment that the Log4j threat is far from over chimes with Microsoft’s assessment, which stresses that Log4j is a “high-risk situation” in part because many organizations can’t easily tell what products and services are affected by Log4j.
Microsoft said the Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe: “The vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.”
Microsoft also said customers should use scripts and scanning tools to assess their risk and impact, but warns that it has seen attackers using many of the same inventory techniques to locate targets: “Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities.”