The IT and cybersecurity community sounded the alarm last month when researchers discovered vulnerabilities in Log4j, the ubiquitous java logger used by a wide range of tech products.
The tool has been patched and vendors are quickly deploying its own patches for products that use the tool, but the situation is not getting much better as threat actors are leveraging the flaws to attack internet-facing systems and deploy ransomware, Microsoft warns in a new update.
The IT vendor says it began observing earlier this month attacks exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMWare Horizon, which is one of many VMWare products that was impacted by the Log4j bugs.
For information of which components of Horizon are vulnerable, view VMWare’s advisory.
Microsoft attributes the attacks to a China-based ransomware operator that deploys the NightSky ransomware to encrypt victim systems. That entity, which Microsoft tracks as Dev-0401, has previously deployed multiple ransomware families, including LockFile, AtomSilo, and Rook.
The threat actor has also exploited other internet-facing systems running Confluence and on-premises Exchange servers, leveraging a 2021 remote code execution vulnerability for each.
According to Microsoft, the attackers are using command and control severs that spoof legitimate domains of IT vendors, including: service[.]trendmrcio[.]com, api[.]rogerscorp[.]org, api[.]sophosantivirus[.]ga, apicon[.]nvidialab[.]us, w2zmii7kjb81pfj0ped16kg8szyvmk.burpcollaborator[.]net, and 139[.]180[.]217[.]203.
The update comes a week after the Microsoft warned organizations to remain vigilant as exploitation attempts remain high in January. The company says sophisticated threat actors like nation-states and other groups are rolling the Log4j exploits into their attack tools.
Nation state groups from China, Iran North Korea and Turkey are using the vulnerabilities to conduct a range of attacks, including ransomware and attacking virtualization infrastructure to extend their typical targeting.
Other groups are using the vulnerability to gain initial access to target networks and then sell that access to ransomware-as-a-service affiliates, Microsoft says.
Microsoft has rolled out updates to Microsoft 365 Defender to help admins identify vulnerable instances of Log4j and provide a consolidated view of the organization’s exposure.
Multiple other organizations have released similar tools that are free to use.