Cyberattackers seeking to exploit the widespread vulnerability in Apache Log4j have continued to broaden their reach and have begun attempting attacks that are potentially more severe, such as ransomware, cybersecurity researchers said.
Researchers at cybersecurity giant Check Point said today that they’ve observed attempted exploits of the Log4j vulnerability, known as Log4Shell, on more than 44% of corporate networks worldwide. That’s up from 40% a day earlier, according to Check Point.
Matthew Prince, CEO of Cloudflare, said Tuesday morning on Twitter that “payloads [are] getting scarier. Ransomware payloads started in force in last 24 hours.†Cloudflare declined to comment further.
Ransomware spotted
Cyber firm Bitdefender, meanwhile, reported that it has detected attempts to deploy a ransomware payload targeting a Windows system by exploiting the Log4j vulnerability.
The attacker sought to install a new ransomware family, Khonsari, named after the extension found in the payload’s encrypted files. While Bitdefender has seen multiple attempts to deploy this ransomware, “Khonsari is not widespread at this point,†said Martin Zugec, technical solutions director at Bitdefender, in an email.
Other threat researchers told VentureBeat they have yet to observe ransomware payloads that have leveraged the Log4j vulnerability.
“We haven’t necessarily seen direct ransomware deployment, but it’s just a matter of time,†said Nick Biasini, head of outreach at Cisco Talos, in an email. “This is a high-severity vulnerability that can be found in countless products. The time required for everything to be patched alone will allow various threat groups to leverage this in a variety of attacks, including ransomware.â€
Check Point said it has not observed ransomware attempts related to Log4j, either, but spokesperson Ekram Ahmed said the company sees ransomware attacks as “highly probable.â€
Akamai has observed attackers trying to target Windows machines and attempting to deploy privilege escalation tools, such as winPEAS, said Aparna Rayasam, general manager for application security at the company.
“This is groundwork to enable activities like ransomware,†Rayasam said in an email. Still, “of the overall attacks we have observed to date, only a small percentage appear to be related to ransomware. The majority of the requests appear to be reconnaissance related,†she said.
‘More aggressive attacks’ coming
In its blog update Tuesday, Check Point researchers reported they are tracking a malware attack traced to an IP address in the U.S., which hosts malicious files including a crypto miner and Cobalt Strike. The Cobalt Strike tool is popular with ransomware gangs for activities such as remote surveillance and lateral movement, and Microsoft had previously reported seeing installation of the tool in connection with Log4j exploits.
Matt Olney, director of threat intelligence and interdiction at Cisco Talos, said on Monday that the firm has seen an increase in malicious Cobalt Strike servers coming online in recent days.
Sean Gallagher, a senior threat researcher at Sophos, told VentureBeat today that “other than continuing attempts to drop cryptocurrency miners and mining botnets, we’re seeing a relatively quiet period compared to the initial probes for vulnerabilities we saw over the weekend.â€
“But based on past experience with vulnerabilities like Log4j, we expect this to be followed by more aggressive attacks,†Gallagher said in an email. “These would include targeted efforts to gain access to vulnerable systems to steal data or plant backdoors to allow long-term information stealing by spies, access brokers (who sell the backdoor to others), and other cybercriminals. And those other criminals will inevitably include ransomware gangs.â€
Widespread flaw
Log4j is an open source logging library that is widely used in enterprise software and cloud services. Many applications and services written in Java are potentially vulnerable to Log4Shell, which can enable remote execution of code by unauthenticated users.
The flaw is considered highly dangerous because of Log4j’s broad usage and because the vulnerability is considered trivial to exploit. Detection and remediation is made even more difficult by the fact that much of the usage of Log4j has been indirect — with the logging library often used via Java frameworks such as Apache Struts 2, Apache Solr, and Apache Druid.
Internal research from Wiz suggests that more than 89% of all environments have had vulnerable Log4j libraries. The Log4Shell vulnerability was disclosed late Thursday.
Deployment of malware that takes advantage of Log4Shell has been ongoing for days, with researchers reporting they’ve observed the use of Mirai and Muhstik botnets to deploy distributed denial of service (DDoS) attacks, as well as deployment of Kinsing malware for crypto mining. Cisco Talos today reported observing email-based attacks seeking to exploit Log4Shell.
Range of attacks
Along with the Khonsari ransomware, Bitdefender also reported attempts to deploy the Orcus remote access trojan, Muhstik botnets, and reverse bash shells for future attacks, as well as successful coin miner attacks. The company’s telemetry has found 7,000 total attack attempts based on the Log4j vulnerability, Zugec told VentureBeat.
At the time of this writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j.
Following the ransomware attack on human resources software firm Kronos on Saturday, there is currently “no indication†of a connection to the Log4j vulnerability, according to a company update today, which a spokesperson confirmed represents the latest information. The company said it’s investigating that possibility, however.
Both Kronos and the Virginia state legislature, which saw a ransomware attack on Friday, are known to use or have licenses for use of Java, according to an Ars Technica report. A spokesperson for the Virginia state legislature could not immediately be reached Tuesday.
