Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

Night Sky Ransomware Uses Log4j Bug to Hack VMware Horizon Servers

Night Sky Ransomware Uses Log4j Bug to Hack VMware Horizon Servers

The Night Sky ransomware gang has started to exploit the critical CVE-2021-44228 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems.

The threat actor is targeting vulnerable machines exposed on the public web from domains that impersonate legitimate companies, some of them in the technology and cybersecurity sectors.

Attacks started in early January

Spotted in late December 2021 by security researcher MalwareHunterTeam, Night Sky ransomware focuses on locking enterprise networks. It has encrypted multiple victims, asking for an $800,000 ransom from one of them.

Also Read: Top 3 Simple Data Backup Singapore and Recovery Methods

On Monday, Microsoft published a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.

VMware Horizon is used for desktop and app virtualization in the cloud, allowing users to access them remotely through a dedicated client or a web browser.

It is also a solution for administrators for better management, security compliance, and automation across the entire fleet of virtual systems.

VMware has patched Log4Shell in Horizon products and provided workarounds for customers that could not install the new version containing the fix (2111, 7.13.1, 7.10.3). However, some companies have yet to apply the fix.

“As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware” Microsoft

The company adds that the group is known for deploying other ransomware families in the past, such as LockFile, AtomSilo, and Rook.

Previous attacks from this actor also exploited security issues in internet-facing systems like Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473 – ProxyShell). It is believed that Night Sky is a continuation of the aforementioned ransomware operations.

The link with Rook ransomware has already been established. After reverse engineering the malware, Jiří Vinopal – forensic analyst at the Czech Republic CERT, discovered that Night Sky is a fork of the Rook ransomware.

Microsoft notes that Night Sky ransomware operators rely on command and control servers that impersonate domains used by legitimate companies such as cybersecurity firms Sophos, Trend Micro, technology companies Nvidia and Rogers Corporation.

Also Read: What is Pseudonymisation: 5 Techniques and Its Best Practices

Microsoft’s warning comes on the heels of another alert from UK’s National Health Service (NHS) on January 5 about threat actors targeting VMware Horizon deployments with Log4Shell exploits.

Attractive attack vector

Log4Shell is an attractive attack vector for nation-state hackers and cybercriminals alike because the open-source Log4J component is present in a wide range of systems from dozens of vendors.

Exploiting the bug to achieve code execution without authentication requires minimum effort. A threat actor can initiate a callback or request to a malicious server that passes needs only visit a site or search it for a specific string to cause a server callback to a malicious location.

The security flaw can be leveraged remotely on vulnerable machines exposed on the public internet or from the local network, by a local adversary to move laterally to sensitive internal systems.

Exploiting Log4j vulnerability CVE-2021-44228
source: Microsoft

One of the first “top-tier” ransomware gangs to integrate Log4Shell in their attacks is Conti, who showed an interest in it as a potential attack avenue on December 12, just three days after the first proof-of-concept (PoC) exploit became public.

Another ransomware gang, a newcomer called Khonsari, started to leverage the exploit the very next day the PoC emerged on GitHub.

In the days following its disclosure, multiple threat actors started to leverage the Log4j bug. The first to take advantage were cryptocurrency miners, with state-backed hackers and ransomware gangs following suit.

Update [January 11, 08:57 EST]: Added information that Night Sky ransomware is a fork of Rook ransomware.

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us