Log4J and ransomware: How hackers are taking advantage

Ransomware groups are flocking to exploit the Log4j vulnerability which has hit corporations all-around the globe. New and proven criminal gangs, country-state backed hackers and first access brokers have all been noticed getting advantage of the difficulty, which has opened the door for hackers to attempt extra server-aspect attacks, experts told Tech Watch.

The Log4J JavaScript vulnerability has affected millions of organisations all-around the globe. (Image Illustration by Pavlo Gonchar/SOPA Photographs/LightRocket by way of Getty Photographs)

Log4j is a JavaScript vulnerability present in millions of methods that was uncovered earlier this thirty day period, and has produced the best conditions for ransomware groups to strike. “The pervasiveness of Log4J as a developing block of so several software program solutions, blended with the problem in patching the vulnerability, helps make this a important situation to tackle for several organisations,” says Toby Lewis, world wide head of danger assessment at safety organization Darktrace.

Ransomware gangs are weaponising Log4J

Because US cybercrime company CISA’s initial warn about Log4j on 11 December, various ransomware gangs and danger actors have been identified by researchers to be making use of the vulnerability to infiltrate methods and networks. Conti, just one of the world’s most prolific ransomware gangs, is making use of the exploit to an alarming degree, in accordance to a danger report unveiled by safety organization Advintel. It says the gang has previously made use of the vulnerability to concentrate on VMware’s vCenter server management software program, through which hackers can probably infiltrate the methods of VMware’s clientele.

Log4j is also liable for reviving a ransomware pressure that has been dormant for the earlier two years. TellYouThePass, has not been noticed in the wild since July 2020, but is now back again on the scene and has been just one of the most energetic ransomware threats getting advantage of Log4J. “We have particularly noticed danger actors making use of Log4J to attempt to set up an more mature variation of TellYouThePass,” explains Sean Gallagher, danger researcher at safety organization Sophos. “In the circumstances the place we’ve detected these tries, they’ve been stopped. TellYouThePass has Home windows and Linux variations, and several of the tries we’ve noticed have qualified cloud-based servers on AWS and Google Cloud.”

Khonsari, a middleweight ransomware gang, has also been identified exploiting Home windows servers with Log4J, reports safety organization BitDefender, which notes that the gang’s malware is small sufficient to stay away from detection by several antivirus programmes.

Nation-state danger actors use Log4J

Proof of country-state backed danger actors from nations around the world including China and Iran has been uncovered by danger analysts at Microsoft. The firm’s safety staff mentioned Log4J was staying exploited by “several tracked country-state exercise groups originating from China, Iran, North Korea, and Turkey. This exercise ranges from experimentation through growth, integration of the vulnerability to in-the-wild payload deployment, and exploitation towards targets to achieve the actor’s targets.”

Examples contain Iranian group Phosphorous, which has been deploying ransomware, attaining and creating modifications of the Log4J exploit. Hafnium, a danger actor believed to originate from China, has been noticed making use of the vulnerability to attack virtualisation infrastructure to extend their standard targeting. “We have noticed Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are executing so as perfectly, or getting ready to,” says John Hultquist, VP of intelligence assessment at Mandiant. “We believe that these actors will perform swiftly to develop footholds in desirable networks for stick to-on exercise which may possibly very last for some time. In some circumstances, they will perform from a desire record of targets that existed prolonged in advance of this vulnerability was community knowledge. In other circumstances, desirable targets may possibly be selected soon after wide targeting.”

Original Access Brokers are making use of the Log4J exploit

Original access brokers, which infiltrate networks and sell access, have also jumped on the Log4J bandwagon. “The Microsoft 365 Defender staff have confirmed that several tracked exercise groups acting as access brokers have commenced making use of the vulnerability to obtain first access to concentrate on networks,” the Microsoft danger report notes.

The recognition of this exploit signifies a adjust from hackers targeting client-aspect purposes (individual devices this kind of as laptops, desktops and mobiles), to server-aspect purposes, suggests Darktrace’s Lewis. “The latter generally include extra sensitive facts and have larger privileges or permissions in the network,” he says. “This attack path is considerably extra exposed, specially as adversaries turn to automation to scale their attacks.”

If tech leaders want to be certain of effectively shielding their methods, they ought to put together for the unavoidable attack, as perfectly as patching, Lewis adds. “As corporations assess how best to put together for a cyberattack, they ought to acknowledge that sooner or later, attackers will get in,” he says. “Fairly than striving to stop this, the emphasis ought to be on how to mitigate the affect of a breach when it occurs.”


Claudia Glover is a personnel reporter on Tech Watch.