Log4J and ransomware: How hackers are taking advantage

Ransomware groups are flocking to exploit the Log4j vulnerability which has hit firms close to the environment. New and established felony gangs, nation-state backed hackers and original access brokers have all been noticed getting advantage of the dilemma, which has opened the door for hackers to attempt a lot more server-side attacks, gurus instructed Tech Monitor.

Log4J and ransomware
The Log4J JavaScript vulnerability has affected tens of millions of organisations close to the environment. (Photo Illustration by Pavlo Gonchar/SOPA Visuals/LightRocket by using Getty Visuals)

Log4j is a JavaScript vulnerability existing in tens of millions of techniques that was uncovered earlier this month, and has produced the fantastic circumstances for ransomware groups to strike. “The pervasiveness of Log4J as a constructing block of so a lot of software program merchandise, combined with the issues in patching the vulnerability, helps make this a essential challenge to address for a lot of organisations,” suggests Toby Lewis, world head of threat examination at safety corporation Darktrace.

Ransomware gangs are weaponising Log4J

Considering that US cybercrime agency CISA’s authentic alert about Log4j on eleven December, many ransomware gangs and threat actors have been uncovered by scientists to be applying the vulnerability to infiltrate techniques and networks. Conti, one particular of the world’s most prolific ransomware gangs, is applying the exploit to an alarming diploma, according to a threat report unveiled by safety corporation Advintel. It suggests the gang has by now employed the vulnerability to target VMware’s vCenter server administration software program, by way of which hackers can possibly infiltrate the techniques of VMware’s shoppers.

Log4j is also accountable for reviving a ransomware strain that has been dormant for the past two several years. TellYouThePass, has not been noticed in the wild due to the fact July 2020, but is now again on the scene and has been one particular of the most energetic ransomware threats getting advantage of Log4J. “We’ve particularly witnessed threat actors applying Log4J to attempt to set up an more mature variation of TellYouThePass,” clarifies Sean Gallagher, threat researcher at safety corporation Sophos. “In the scenarios where by we have detected these tries, they’ve been stopped. TellYouThePass has Home windows and Linux variations, and a lot of of the tries we have witnessed have focused cloud-centered servers on AWS and Google Cloud.”

Khonsari, a middleweight ransomware gang, has also been uncovered exploiting Home windows servers with Log4J, reviews safety corporation BitDefender, which notes that the gang’s malware is modest ample to keep away from detection by a lot of antivirus programmes.

Nation-state threat actors use Log4J

Proof of nation-state backed threat actors from nations together with China and Iran has been uncovered by threat analysts at Microsoft. The firm’s safety staff explained Log4J was currently being exploited by “a number of tracked nation-state exercise groups originating from China, Iran, North Korea, and Turkey. This exercise ranges from experimentation for the duration of advancement, integration of the vulnerability to in-the-wild payload deployment, and exploitation versus targets to achieve the actor’s targets.”

Illustrations include Iranian team Phosphorous, which has been deploying ransomware, attaining and producing modifications of the Log4J exploit. Hafnium, a threat actor thought to originate from China, has been noticed applying the vulnerability to assault virtualisation infrastructure to lengthen their standard concentrating on. “We have witnessed Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are performing so as properly, or planning to,” suggests John Hultquist, VP of intelligence examination at Mandiant. “We believe that these actors will get the job done speedily to make footholds in attractive networks for adhere to-on exercise which may perhaps last for some time. In some scenarios, they will get the job done from a would like list of targets that existed prolonged in advance of this vulnerability was general public expertise. In other scenarios, attractive targets may perhaps be picked after broad concentrating on.”

First Obtain Brokers are applying the Log4J exploit

First access brokers, which infiltrate networks and sell access, have also jumped on the Log4J bandwagon. “The Microsoft 365 Defender staff have verified that a number of tracked exercise groups acting as access brokers have started off applying the vulnerability to get original access to target networks,” the Microsoft threat report notes.

The level of popularity of this exploit signifies a improve from hackers concentrating on shopper-side programs (unique products these as laptops, desktops and mobiles), to server-side programs, indicates Darktrace’s Lewis. “The latter ordinarily have a lot more sensitive info and have greater privileges or permissions in just the community,” he suggests. “This assault route is substantially a lot more exposed, specifically as adversaries convert to automation to scale their attacks.”

If tech leaders want to be absolutely sure of effectively protecting their techniques, they ought to get ready for the unavoidable assault, as properly as patching, Lewis adds. “As firms evaluate how finest to get ready for a cyberattack, they ought to acknowledge that at some point, attackers will get in,” he suggests. “Instead than attempting to halt this, the emphasis ought to be on how to mitigate the influence of a breach when it occurs.”


Claudia Glover is a personnel reporter on Tech Monitor.