Microsoft has issued a warning that cyber criminals based in China are currently targeting businesses and individuals in order to install a “double extortion” new ransomware strain that emerged last month.
Attackers began exploiting the Log4j ‘Log4Shell’ flaw in VMware’s Horizon product in internet-facing systems as early as January 4.
“Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware. These attacks are performed by a China-based ransomware operator that we’re tracking as DEV-0401,” Microsoft said in a statement on Monday.
Furthermore, HAFNIUM, a threat actor group based in China, has been observed exploiting the vulnerability to attack virtualisation infrastructure in order to broaden their typical targeting.
HAFNIUM-affiliated systems were observed using a DNS service typically associated with testing activity to fingerprint systems in these attacks.
The ‘Log4j’ vulnerabilities pose a complex and high-risk situation for businesses all over the world.
This open-source component is widely used in the software and services of many suppliers.
“Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” said Microsoft.
In January, the company noticed attackers exploiting vulnerabilities in internet-facing systems, eventually deploying ransomware.
Customers should consider the widespread availability of exploit code and scanning capabilities to be a real and present threat to their environments at this time, according to the tech behemoth.
“Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance,” the company added.
According to a report released last week by the digital arm of the United Kingdom’s National Health Service (NHS), attackers are targeting VMware’s Horizon server software.
VMware has detailed which versions of Horizon components are vulnerable and which are not, as well as the various remediation steps for each if they are.