Log4j vulnerability opened the door to the ransomware operators

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

For the cybercriminal operators who specialize in ransomware, business was already very good prior to the disclosure of the simple-to-exploit vulnerability in Apache’s widely used Log4j logging software. But numerous indicators suggest that due to the Log4j vulnerability, known as Log4Shell, the opportunities in the ransomware business are about to get even more abundant. To the detriment of everyone else.

Defenders, of course, are doing all they can to prevent this from happening. But according to security researchers, signs have emerged suggesting that ransomware attacks are all but inevitable over the coming months thanks to the flaw in Log4j, which was disclosed just over a week ago.

Selling access

One troubling indicator in recent days is the activity of “initial access brokers”—cyber criminals whose specialty is getting inside a network and then installing a backdoor to enable entry and exit without detection. Later, they sell this access to a ransomware operator who carries out the actual attack—or sometimes to a “ransomware-as-a-service” outfit, according to security researchers. Ransomware-as-a-service operators lease out ransomware variants to other attackers, saving them the effort of creating their own variants.

Microsoft reported this week that it has observed activities by suspected access brokers, linked to ransomware affiliates, who have now exploited the vulnerability in Log4j. This suggests that an “increase in human-operated ransomware” will follow against both Windows and Linux systems, Microsoft said.

At cybersecurity giant Sophos, the company has spotted activity involving attempted installation of Windows backdoors that points to access brokers, said Sean Gallagher, a senior threat researcher at Sophos Labs.

“You can assume they’re likely access brokers, or other cyber criminals who may sell access on the side,” Gallagher told VentureBeat.

Ransomware gang activity

Other concerning developments include a report from cyber firm AdvIntel that a major ransomware gang, Conti, has been found to be exploiting the vulnerability in Log4j to gain access and move laterally on vulnerable VMware vCenter servers. VentureBeat has reached out to VMware for comment.

It may still be weeks or months before the first successful ransomware attacks result from the Log4Shell vulnerability, Gallagher noted. Ransomware operators will often slowly export a company’s data for a period of time before springing the ransomware that encrypts the company’s files, Gallagher said. This allows the operator to later extort the company in exchange for not releasing their data on the web.

“It could be a while before we see the real impact—in terms of what people have gotten access to and what the economic impact is of that access,” Gallagher said.

A growing threat

The ransomware problem had already gotten much worse this year. For the first three quarters of 2021, SonicWall reported that attempted ransomware attacks surged 148% year-over-year. CrowdStrike reports that the average ransomware payment climbed by 63% in 2021, reaching $1.79 million.

Sixty-six percent of companies have experienced a ransomware attack in the previous 12 months, according to CrowdStrike’s recent report, up from 56% in the company’s 2020 report.

This year’s spate of high-profile ransomware incidents included attacks against fuel pipeline operator Colonial Pipeline, meat processing firm JBS Foods, and IT management software firm Kaseya—all of which had massive repercussions far beyond their corporate walls.

The disclosure of the Log4j vulnerability has been met with a herculean response from security teams. But even still, the likelihood of ransomware attacks that trace back to the flaw is high, according to researchers.

“If you are a ransomware affiliate or operator right now, you suddenly have access to all these new systems,” Gallagher said. “You’ve got more work on your hands than you know what to do with right now.”

Widespread vulnerability

Many applications and services written in Java are potentially vulnerable to Log4Shell, which can enable remote execution of code by unauthenticated users. Researchers at cybersecurity giant Check Point said they’ve observed attempted exploits of the Log4j vulnerability on more than 44% of corporate networks worldwide.

Meanwhile, a discovery by cyber firm Blumira suggests there may be an additional attack vector in the Log4j flaw, whereby not just vulnerable servers—but also individuals browsing the web from a machine with unpatched Log4j software on it—might be vulnerable. (“At this point, there is no proof of active exploitation,” Blumira said.)

Ransomware delivery attempts have already been made using the vulnerability in Log4j. Bitdefender and Microsoft this week reported attempted attacks, using a new family of ransomware called Khonsari, that exploited the flaw. Microsoft also said that an Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen “acquiring and making modifications of the Log4j exploit.”

At the time of this writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j.

“We haven’t necessarily seen direct ransomware deployment, but it’s just a matter of time,” said Nick Biasini, head of outreach at Cisco Talos, in an email this week. “This is a high-severity vulnerability that can be found in countless products. The time required for everything to be patched alone will allow various threat groups to leverage this in a variety of attacks, including ransomware.”

What about Kronos?

Thus far, there is still no indicator on whether last Saturday’s ransomware attack against Kronos Private Cloud had any connection to the Log4j vulnerability or not. The attack continues to be widely felt, with paychecks potentially delayed for workers at many companies that use the software for their payrolls.

In an update Friday, the parent company of the business, Ultimate Kronos Group (UKG), said that the question of whether Log4j was a factor is still under investigation—though the company noted that it did quickly begin patching for the vulnerability.

“As soon as the Log4j vulnerability was recently publicly reported, we initiated rapid patching processes across UKG and our subsidiaries, as well as active monitoring of our software supply chain for any advisories of third-party software that may be impacted by this vulnerability,” the company said. “We are currently investigating whether or not there is any relationship between the recent Kronos Private Cloud security incident and the Log4j vulnerability.”

The company did not have any further comment when reached by VentureBeat on Friday.

Hypothetically, even if the attack was enabled by the Log4j vulnerability, it’s “entirely possible” that UKG might never be able to pinpoint that, Gallagher noted.

“There are lots of times when you have no way to know what the initial point of access for a ransomware operator was,” he said. “By the time they’re done, you’re poking through the ashes with a rake trying to find what happened. Sometimes you can find pieces that tell you [how it occurred]. And sometimes you don’t. It’s entirely possible that, if it was Log4j, they would not have any idea.”

Originally appeared on: TheSpuzz