Another gang, Night Sky ransomware operation, started exploiting the Log4Shell vulnerability in the Log4j library to gain access to VMware Horizon systems.
Researchers from MalwareHunterteam first spotted the ransomware family, once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names.
In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.
On Monday, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.
According to Microsoft the ransomware operators compromised the exposed systems to deploy the NightSky ransomware. The DEV-0401 operators have also deployed multiple ransomware families in past campaigns, including LockFile, AtomSilo.
“As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.” reads an update published by Microsoft.
“These attacks are performed by a China-based ransomware operator that we’re tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).
According to Microsoft Night Sky ransomware operators employed C2 servers that impersonate domains used by legitimate companies such as cybersecurity firms Trend Micro, Sophos, and IT firms such as Nvidia and Rogers Corporation.
In the last weeks other ransomware gangs exploited the Log4Shell in their attacks, the Conti ransomware gang was the first group that exploited the CVE-2021-44228 flaw since mid December.
[출처 : SecurityAffairs / 1.11.]