Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense
Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense

IOTW: VMware Horizon targeted by attackers exploiting Log4j

New ransomware leveraging the Log4j vulnerability identified in VMware Horizon servers

Add bookmark
Cyber Security Hub Editor
01/14/2022
VMware Horizon targeted by attackers exploiting Log4J

The Log4j vulnerability continues to be exploited by threat actors and a new ransomware group has been identified actively targeting Log4Shell vulnerabilities in the VMware Horizon servers.

According to a 5 January 2022 update from the UK’s National Health Service (NHS), the attackers are trying to establish web shells, that can be used to carry out the deployment of malicious software, data exfiltration and the deployment of ransomware. VMware Horizon is a virtual desktop provider which leverages the hybrid cloud.

On 11 January 2022, Microsoft provided an update on Log4j vulnerabilities and noted, “as early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon”.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

“Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware,” the Microsoft statement said.

NightSky ransomware

The NightSky ransomware was first discovered in December 2021 by MalwareHunterTeam.

The attacks are being performed by a China-based ransomware operator that Microsoft says it is tracking as DEV-0401.

“DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo and Rook, and has similarly exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).”

Based on Microsoft’s analysis the attackers are using command and control (CnC) servers that spoof legitimate domains.

The NHS statement says that attackers are leveraging the vulnerability to “use the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service”.

Log4j impact continues

Since being uncovered in early December 2021 threat actors have taken advantage of the opportunities presented by the Log4J vulnerability.

According to Check Point Research (CPR), Q4 of 2021 saw an all-time peak in weekly cyber-attacks with CPR counting more than 900 attacks per organization, largely due to the Log4j vulnerability.

Ransomware has been identified as a major issue for those who have not successfully patched the vulnerability.

In December, the UK’s National Cyber Security Centre said: “As the situation evolves, we expect attacks to become more targeted. Ransomware groups may look to use Log4Shell as a method of illicit entry into organizations. Once access is secured, threat actors will then look to obtain further access in order to be able to ransom the whole organization in a highly impactful way.”

Tags: Incident of the week IOTW ransomware VMware log4j cryptologer VMware VMware cyber security VMware horizon vulnerabilities night sky ransomware

FIND CONTENT BY TYPE

Cyber Security Hub COMMUNITY

ADVERTISE WITH US

Advertise Now

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Learn more
iqpc logo

Cyber Security Hub, a division of IQPC

© 2024 All rights reserved. Use of this site constitutes acceptance of our User Agreement, Privacy Policy and Cookies Settings.

Careers With IQPC| Contact Us | About Us | Cookie Policy