Suspected Chinese hackers use Log4j flaw to deploy Night Sky ransomware, Microsoft warns

The findings coincide with U.S. government efforts to slow malicious cyber activity related to the issue, which is ubiquitous in the technology sector.
Computer server cables
(Photo by In Pictures Ltd./Corbis via Getty Images)

A China-based ransomware operator has been exploiting a vulnerability in Log4j software to attack internet-facing systems running a popular virtualization service, Microsoft analysts reported Monday.

The findings point toward attacks on VMWare Horizon, an application that allows remote users access to virtual computers and servers. Successful attacks have led to the deployment of ransomware via a hacking campaign that calls itself Night Sky. The group behind this effort has previously deployed other ransomware strains, including LockFile, AtomSilo, and Rook, the Microsoft researchers reported.

This new campaign, which dates back to Jan. 4 — even though the VMWare Horizon exploitation at the hands of the Log4j vulnerability was spotted toward the end of December — relies in part on spoofed domains made to look as though they’re associated with known technology firms such as TrendMicro, Sophos, Nvidia, and Rogers. VMware issued guidance on remediation on Dec. 14, less than a week after the Java-based vulnerability in the widely used open-source logging software became public.

The Microsoft findings came on the same day the U.S. government’s top cybersecurity officials told reporters that, although they were unaware of any major intrusions using the Log4j vulnerability, it would perhaps only a matter of time before one is revealed.


On Jan. 5 the U.K.’s National Health Service warned that attackers were “actively targeting” VMware Horizon servers, and researchers with CrowdStrike reported Dec. 29 on Chinese hackers dubbed “Aquatic Panda” using the VMware issues to target an unnamed academic institution.

Latest Podcasts