Microsoft has issued a warning that cyber criminals located in China are currently targeting organizations and individuals in order to install a new “double extortion” new ransomware strain that was discovered last month.
Attackers began exploiting the Log4j ‘Log4Shell’ vulnerability in VMware’s Horizon product on internet-facing systems as early as January 4.
Microsoft said in a statement “Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware. These attacks are performed by a China-based ransomware operator that we’re tracking as DEV-0401,”
In addition, HAFNIUM, a Chinese threat actor group, has been observed exploiting the vulnerability to target virtualization infrastructure to extend their typical targeting.
HAFNIUM-associated servers were observed using a DNS service typically associated with testing activity to fingerprint systems in these attacks.
For organizations throughout the world, the ‘Log4j’ vulnerabilities pose a complex and high-risk situation.
This open-source component is widely used in the software and services of numerous suppliers.
Microsoft said “Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,”
According to Microsoft, the attackers began exploiting vulnerabilities in internet-facing systems in January, eventually spreading ransomware.
Microsoft said that customers should expect widespread availability of exploit code and scanning capabilities to be a real present danger to their environments at this time.
Microsoft added “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance,”