Microsoft confirms new ransomware family deployed via Log4j vulnerability

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

Microsoft has become the second security vendor to report it has observed a new family of ransomware, known as Khonsari—which the company said has been used in attacks on non-Microsoft hosted Minecraft servers by exploiting the vulnerability in Apache Log4j.

In a Wednesday night update to its blog post about the Log4j vulnerability, Microsoft said it can confirm the findings of cyber firm Bitdefender, which earlier this week disclosed the existence of the new Khonsari ransomware family. Bitdefender said it had detected multiple attempts to deploy a Khonsari ransomware payload, which targets Windows systems by taking advantage of a flaw in the Log4j logging library.

The vulnerability, known as Log4Shell, was publicly disclosed last Thursday and is considered highly dangerous, as the flaw is both widespread and considered trivial to exploit.

Attacks on Minecraft servers

In its blog update Wednesday, Microsoft said that it has seen ransomware attacks on Minecraft servers that are not hosted by the company that involve the Khonsari ransomware family.

“Microsoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by Bitdefender,” the company said in the blog post update.

“In Microsoft Defender Antivirus data we have observed a small number of cases of this [ransomware] being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader,” Microsoft said in the post.

In those cases, the threat actor has sent a malicious message in-game to a vulnerable Minecraft server, and the message then exploits Log4Shell in order to execute a payload both on the server and on any vulnerable clients that are connected, the company said.

“We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of javaw.exe to ransom the device,” Microsoft said.

Risk of compromise

The vulnerability in Log4j was initially discovered in the Java edition of Minecraft, according to reports. The massively popular game is owned by Microsoft. A post on the Minecraft blog on Friday had informed users of the Log4j vulnerability and urged Java edition users to update to the patched version, saying that “this vulnerability poses a potential risk of your computer being compromised.”

The new disclosure by Microsoft today follows the company’s report on Tuesday that it has observed multiple cybercriminal groups seek to establish network access by exploiting Log4Shell, with the goal of later selling that access to ransomware operators. The arrival of these “access brokers,” who’ve been linked to ransomware-as-a-service affiliates, suggests that an “increase in human-operated ransomware” may follow against both Windows and Linux systems, the company said.

Additionally, Microsoft said in the previous update that it has observed activity from nation-state groups around the Log4j vulnerability, including activities by an Iranian group that has previously deployed ransomware.

‘Not widespread’

Earlier this week, Bitdefender reported that it has seen multiple attempts to deploy the new Khonsari ransomware, named after the extension found in the payload’s encrypted files. However, “Khonsari is not widespread at this point,” said Martin Zugec, technical solutions director at Bitdefender, in an email to VentureBeat on Tuesday.

Researchers have also told VentureBeat that they’ve observed attackers potentially laying the groundwork for launching ransomware in a range of ways, such as deploying privilege escalation tools and bringing malicious Cobalt Strike servers online, in recent days. Cobalt Strike is a popular tool for enabling remote reconnaissance and lateral movement in ransomware attacks.

On Saturday, Microsoft had reported seeing the installation of Cobalt Strike through the exploitation of the Log4j vulnerability.

All in all, researchers have said they do expect more ransomware attacks to result from the vulnerability in Log4j. Many applications and services written in Java are potentially vulnerable to Log4Shell, which can enable remote execution of code by unauthenticated users. Researchers at cybersecurity giant Check Point said they’ve observed attempted exploits of the Log4j vulnerability on more than 44% of corporate networks worldwide.


In the blog post update Tuesday, Microsoft’s threat research teams said that they “have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks.”

“These access brokers then sell access to these networks to ransomware-as-a-service affiliates,” the Microsoft researchers said in the post.

Ransomware-as-a-service operators lease out ransomware variants to other attackers, saving them the effort of creating their own variants.

At the time of this writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j.

Ransomware has already been hitting a growing number of businesses. A recent survey from CrowdStrike found that 66% of organizations had experienced a ransomware attack in the previous 12 months, up from 56% in 2020.

Meanwhile, in the post update on Wednesday, Microsoft said that “while it’s uncommon for Minecraft to be installed in enterprise networks, we have also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials.”

“These techniques are typically associated with enterprise compromises with the intent of lateral movement,” the company said. “Microsoft has not observed any follow-on activity from this campaign at this time, indicating that the attacker may be gathering access for later use.”

Originally appeared on: TheSpuzz