Getty Images/iStockphoto

Microsoft: China-based ransomware actor exploiting Log4Shell

According to Microsoft, a threat actor tracked as DEV-0401 is utilizing Night Sky ransomware in its Log4j attacks, a variant first reported Jan. 1 that targets large enterprises.

A threat actor is exploiting Log4Shell to deploy a new ransomware variant, according to Microsoft.

The details came via a Monday update to Microsoft's security guidance post dedicated to CVE-2021-44228, also called Log4Shell. It's a critical vulnerability in ubiquitous Java logging framework Log4j that was disclosed last month and quickly gained infamy for multiple reasons.

Microsoft's update called attention to a China-based ransomware operator, tracked as DEV-0401, that the company said was exploiting CVE-2021-44228 as early as Jan. 4. According to the post, the threat actor was targeting internet-facing servers running vulnerable instances of VMware Horizon, a virtualization product developed by VMware.

VMware Horizon-related Log4Shell exploitation is not new. The U.K. government's NHS Digital reported last week that threat actors had been observed attempting to establish malicious web shells on Horizon servers.

In a statement to SearchSecurity, a VMware spokesperson said the company continues to urge customers to apply the latest guidance according to its security advisory (VMSA-2021-0028), and that "the security of our customers is our top priority at VMware as we respond to the industry-wide Apache Software Foundation Log4j vulnerabilities."

"Any service connected to the internet and not yet patched for Log4j vulnerabilities is vulnerable to hackers, and VMware strongly recommends taking immediate action," the spokesperson said.

Microsoft said DEV-0401 was using command and control servers to spoof legitimate domains related to companies like Trend Micro (spoofed as "trendmrcio") and Sophos.

For this campaign, Microsoft said DEV-0401 is using Night Sky ransomware, a variant first reported by security research collective MalwareHunterTeam on Jan. 1 that targets large enterprises. The actor has also utilized other ransomware variants.

"DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473)," the post read.

Since Log4Shell was first reported in early December, attacks against vulnerable organizations have been constant. In addition to financially motivated threat actors, nation-state actors from countries like China, North Korea, Turkey and Iran have been observed exploiting the flaw.

It is unknown whether DEV-0401 is acting in a ransomware-as-a-service capacity or contractor capacity. Microsoft declined SearchSecurity's request for clarification.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing