Hackers are actively exploiting a Log4Shell vulnerability in VMware's Horizon virtual desktop platform to deploy ransomware and other malicious packages, U.K.'s National Health Service (NHS) warned last week.

Microsoft Monday confirmed a China-based ransomware operator — tracked as DEV-0401 — had exploited the vulnerability (CVE-2021-44228) in VMware Horizon as early as January 4. “Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware,” Microsoft reported. 

Identified earlier this month by Twitter group MalwareHunterTeam, NightSky is a relatively new ransomware gang that began operating late last year. 

Microsoft’s findings shed new light on the earlier NHS Digital alert, which warned attackers were "actively targeting Log4Shell vulnerabilities in VMware Horizon servers in an effort to establish web shells.” These web shells can then be used by an attacker to deploy malware, ransomware, and exfiltrate data, the advisory said.

In response to the breach, both the NHS and VMware urged users to patch affected systems and/or implement workarounds cited in the security advisory. 

“Any service connected to the internet and not yet patched for Log4j vulnerabilities is vulnerable to hackers, and VMware strongly recommends taking immediate action,” a VMware spokesperson wrote in a statement.

In the wake of the Log4Shell vulnerability, security researchers warned similar exploits could soon emerge. One of these Log4j-like vulnerabilities was discovered in the H2 database (CVE-2021-42392) by the JFrog security team this week. The critical vulnerability, exploits the same root cause, though it's not believed to be as severe as Log4j. It has yet to receive an official severity score.

H2 is a popular open-source database management system written in Java. It's used in various platforms including Spring Boot and ThingWorks. It can be embedded in Java applications or run in client-server mode. The system offers a lightweight in-memory service that does not require data to be stored on disk, according to JFrog and Fortinet’s FortiGuard Labs.

Similar to Log4Shell, the flaw could allow several code paths in the H2 database framework to pass unfiltered attacker-controlled URLs to the function that enables remote code execution. However, the vulnerability “is less severe compared to Log4Shell since affected servers should be easier to find,” JFrog researchers wrote in a post. It affects systems with H2 console installed, but not those operating in standalone mode.

Additionally, by default, the H2 console only listens to localhost connections which makes it safe by default. However, the console can be modified to listen for remote connections, making it susceptible to remote code execution attacks, FortiGuard Labs warned.

The H2 team has since patched the vulnerability in a new release and created a critical GitHub advisory. The research team recommends users upgrade their H2 database to the latest version to mitigate any risk.

The H2 vulnerability won’t be the last to share a similar root cause to Log4Shell, researchers noted.

“I’m afraid it is an indication of more to come in a similar vein to Log4j. The ubiquitous nature of these components reused all over the place only compounds the issue,” Gartner Research VP Katell Thielemann concurred.