Cyber criminals gearing up for ransomware: log4j exploits

According to experts at major cybersecurity firms, attackers are apparently exploiting Log4Shell, the widespread Apache Log4j vulnerability, in ways that might be laying the groundwork for a ransomware attack. On Saturday, Microsoft’s threat intelligence teams stated they’ve seen Log4Shell used to install Cobalt Strike, a common tool utilized by hackers that is often regarded as a precursor to ransomware.

At the moment, Cisco’s threat intelligence team, Talos, has not discovered Cobalt Strike being set up—but “we’ve seen an increase in malignant Cobalt Strike servers online that may be supporting infrastructure,” according to Matt Olney, director of threat intelligence and interdiction at Cisco.

According to Sophos, researchers have discovered “evidence of attackers attempting to use the flaw to install remote access tools on victim networks, possibly Cobalt Strike, a key tool in many ransomware assaults,” according to a statement distributed by Sean Gallagher, senior threat researcher at Sophos. No ransomware groups are publicly identified as having exploited the Log4j vulnerability to carry out a ransom attack at this time.

Vulnerability is common.

The Log4Shell vulnerability was discovered late Thursday, and it affects a wide range of commercial software and cloud services. Any program that utilizes the Apache Log4j open source logging library is vulnerable, as are many Java applications and services.

Microsoft reported that the actor was still scanning in its post on Saturday, and “at the time of publication, the great majority of observed activity has been scanning,” but exploitation and post-exploitation efforts have also been seen.

“Microsoft has observed activities including coin miners, Cobalt Strike to enable credential theft and lateral movement, and data exfiltration from compromised systems,” the firm added.

Microsoft was not forthcoming on the attacks, but it is a significant cybersecurity vendor in its own right with 650,000 security customers. Microsoft is also one of the largest platforms and cloud services used by businesses.

Chris Doman, cofounder and CTO of cyber security firm Cado Security, observed that Microsoft’s detection of Cobalt Strike installation is noteworthy because the tool is “often utilized by targeted ransomware.”

Popular among cyber crooks

According to a recent study from Proofpoint, Cobalt Strike was formerly a legitimate penetration testing tool, but the platform’s source code appears to have been leaked on GitHub in late 2020, and experts say the tool is increasingly being used by cyber criminals. Year over year, threat actors using Cobalt Strike rose 161 percent in 2020. The software has also been “observed in Proofpoint threat data more frequently than ever” this year, according to the firm.

According to researchers from Cisco Talos, VMware Carbon Black, and Accenture Security, there is a significant connection between the Cobalt Strike malware and ransomware assaults. The Cobalt Strike malware is useful not just because it works but also because of its popularity, according to experts from VMware and Accenture Security in a recent threat analysis post.

“As the use of Cobalt Strike by ransomware operators grows, Accenture Security and Carbon Black have observed attackers utilizing Cobalt Strike Beacon features such as named pipes over Server Message Block (SMB) and WinRM to move laterally within targeted networks,” according to the researchers.

Ransomware infection

The misuse of Log4Shell to spread malware has already begun, with Mirai and Muhstik botnets used to conduct distributed denial of service (DDoS) attacks as well as the deployment of Kinsing malware for crypto mining.

It’s possible that ransomware may be used in conjunction with the Log4j vulnerability “in a matter of days,” according to David Warshavski, vice president of enterprise security at cybersecurity firm Sygnia.

“The barrier for ransomware malware programs to breach corporate networks and establish a foothold has been lowered significantly,” said Warshavski, due to the broad scope of the Log4j vulnerability.

The majority of organizations have already disclosed that they’ve had personal experience with ransomware in the last year, and it’s a significant risk. According to a recent poll from CrowdStrike, 66% of companies had been affected by ransomware in the previous 12 months, up from 56% in 2020. The average ransom paid has increased by about 63% this year, reaching $1.79 million according to the study.

In terms of Log4Shell, managed detection and response firm Huntress has “not seen any serious attacks on our partners or their customers yet,” according to Roger Koehler, vice president of threat operations at the firm. It’s too early to talk about anything severe right now, according to Koehler.

“This is just the start, and we will be seeing this for a long time to come,” Koehler added.