Log4j Actively Being Leveraged By Cybercriminals

Because of the rather catastrophic Log4j vulnerability that sent the planet scrambling to patch all the things last week before they were exploited by bad actors. Which is something that didn’t take long to happen. It’s now become a free for all as bad actors are really going to town in terms of exploiting this vulnerability. For example, Conti ransomware uses Log4j bug to hack VMware vCenter servers

Conti, one of the largest and most prolific ransomware gangs today with tens of active full-time members, appears to have taken interest in Log4Shell early on, seeing it as a possible attack avenue on Sunday, December 12.

The gang started looking for new victims the next day their goal being lateral movement to VMware vCenter networks, cybercrime and adversarial disruption company Advanced Intelligence (AdvIntel) shared with BleepingComputer.

Dozens of vendors have been affected by Log4Shell and rushed to patch their products or provide workarounds and mitigations for customers. VMware is one of them, listing 40 vulnerable products.

While the company provided mitigations or fixes, a patch for vCenter versions impacted has yet to become available.

You have to give Conti credit for acting so quickly. But that also means that a whole lot of things are under threat. Stephanie Simpson, VP, Product Management of SCYTHE had this comment:

Cybercriminals regularly take advantage of new vulnerabilities, especially ones as wide-ranged as Lg4Shell. Critically, most organizations are still in the process of responding to the announcement. They haven’t had adequate time to test their security controls, especially when trying to look for new TTPs using this vulnerability. If we’ve learned nothing from the past year, it’s that organizations are struggling to reduce time to detect and remediate because they don’t have a way to continuously improve people, processes, and technologies.Companies are going to need to assume breach and be proactive over the next few days, and we will likely see an uptick in these attacks through early 2022, at the very least.

Conti aren’t the the only cybercriminals who are leveraging this. Anurag Gurtu, CPO, StrikeReady has this comment about the Khonsari gang who are also leveraging this vulnerability:

Are we witnessing a match made in heaven? Apparently, a ransomware attack is currently exploiting the Log4Shell vulnerability. It’s the Khonsari ransomware gang who has built an attack using C# and the .NET framework. 

After execution, the malware enumerates all mounted drives (other than C:/) and targets user directories including Documents, Videos, Pictures, Downloads, and Desktop. An AES 128 CBC algorithm is used for encryption, and the files are saved with a .khonsari extension.

There are no signs that the Log4Shell vulnerability is slowing down, in fact a second CVE (CVE-2021-45046) just got announced. In the second and third stages, threat actors are aggressively deploying malware families. Among them are Kinsing, XMR, and Mirai. Additionally, some coin-miners and CobaltStrike beacons have been observed in the wild. Nearly 2000 malicious IOCs have been observed so far, which require immediate attention.

We are likely seeing the start of a flood of new attacks leveraging this flaw. So you really need to patch all the things so that you don’t get pwned.

Leave a Reply

%d bloggers like this: