To access VMware Horizon computers, the Night Sky ransomware group has begun exploiting the major CVE-2021-44228 vulnerability in the Log4j logging library (aka Log4Shell). The threat actor is after weak devices exposed on the internet by impersonating respectable firms, some of which are in the technology and cybersecurity industries.
Night Sky ransomware, discovered by security researcher MalwareHunterTeam in late December 2021, is designed to encrypt business networks. It has encrypted the data of many victims and demanded an $800,000 ransom from one of them. Microsoft issued a warning on Monday about a new campaign by a China-based attacker known as DEV-0401 that aims to exploit the Log4Shell vulnerability on VMware Horizon servers that have been exposed to the internet and install the Night Sky ransomware.
VMware Horizon is a cloud-based desktop and app virtualization platform that allows users to access their desktops and apps from anywhere. It’s also a tool for administrators who want to improve administration, security, and automation across their whole fleet of virtual systems.
VMware fixed Log4Shell in Horizon products and provided solutions for users who could not install the latest version with the remedy (2111, 7.13.1, 7.10.3). Some businesses, though, have yet to implement the patch.
“As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware,” according to Microsoft.
The company also claims that the gang has previously used ransomware families such as LockFile, AtomSilo, and Rook. Security flaws in internet-facing systems like Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473 – ProxyShell) have also been used in previous attacks by this actor. Night Sky is thought to be a continuation of the previously mentioned ransomware attacks.
As per Microsoft, Night Sky ransomware operators employ command and control servers that spoof real enterprises such as cybersecurity firms Sophos and Trend Micro, as well as technology giants Nvidia and Rogers Corporation. Microsoft’s warning follows another caution from the UK’s National Health Service (NHS) on January 5 concerning threat actors using Log4Shell vulnerabilities to attack VMware Horizon systems.