Ransomware groups are flocking to exploit the Log4j vulnerability which has hit businesses around the world. New and established criminal gangs, nation-state backed hackers and initial access brokers have all been spotted taking advantage of the problem, which has opened the door for hackers to attempt more server-side attacks, experts told Tech Monitor.
Log4j is a JavaScript vulnerability present in millions of systems that was uncovered earlier this month, and has created the perfect conditions for ransomware groups to strike. “The pervasiveness of Log4J as a building block of so many software products, combined with the difficulty in patching the vulnerability, makes this a critical issue to address for many organisations,” says Toby Lewis, global head of threat analysis at security company Darktrace.
Ransomware gangs are weaponising Log4J
Since US cybercrime agency CISA's original alert about Log4j on 11 December, numerous ransomware gangs and threat actors have been found by researchers to be using the vulnerability to infiltrate systems and networks. Conti, one of the world's most prolific ransomware gangs, is using the exploit to an alarming degree, according to a threat report released by security company Advintel. It says the gang has already used the vulnerability to target VMware's vCenter server management software, through which hackers can potentially infiltrate the systems of VMware's clients.
Log4j is also responsible for reviving a ransomware strain that has been dormant for the past two years. TellYouThePass, has not been spotted in the wild since July 2020, but is now back on the scene and has been one of the most active ransomware threats taking advantage of Log4J. "We’ve specifically seen threat actors using Log4J to attempt to install an older version of TellYouThePass," explains Sean Gallagher, threat researcher at security company Sophos. "In the cases where we’ve detected these attempts, they’ve been stopped. TellYouThePass has Windows and Linux versions, and many of the attempts we’ve seen have targeted cloud-based servers on AWS and Google Cloud."
Khonsari, a middleweight ransomware gang, has also been found exploiting Windows servers with Log4J, reports security company BitDefender, which notes that the gang's malware is small enough to avoid detection by many antivirus programmes.
Nation-state threat actors use Log4J
Evidence of nation-state backed threat actors from countries including China and Iran has been uncovered by threat analysts at Microsoft. The company's security team said Log4J was being exploited by "multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives."
Examples include Iranian group Phosphorous, which has been deploying ransomware, acquiring and making modifications of the Log4J exploit. Hafnium, a threat actor thought to originate from China, has been observed using the vulnerability to attack virtualisation infrastructure to extend their typical targeting. "We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well, or preparing to," says John Hultquist, VP of intelligence analysis at Mandiant. "We believe these actors will work quickly to create footholds in desirable networks for follow-on activity which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting."
Initial Access Brokers are using the Log4J exploit
Initial access brokers, which infiltrate networks and sell access, have also jumped on the Log4J bandwagon. "The Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have started using the vulnerability to gain initial access to target networks," the Microsoft threat report notes.
The popularity of this exploit signifies a change from hackers targeting client-side applications (individual devices such as laptops, desktops and mobiles), to server-side applications, suggests Darktrace's Lewis. "The latter typically contain more sensitive information and have greater privileges or permissions within the network," he says. "This attack path is significantly more exposed, particularly as adversaries turn to automation to scale their attacks."
If tech leaders want to be sure of properly protecting their systems, they must prepare for the inevitable attack, as well as patching, Lewis adds. "As businesses assess how best to prepare for a cyberattack, they must accept that eventually, attackers will get in," he says. "Rather than trying to stop this, the focus must be on how to mitigate the impact of a breach when it happens.”