Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Microsoft said it has observed multiple cybercriminal groups seek to establish network access by exploiting the vulnerability in Apache Log4j, with the expected goal of later selling that access to ransomware operators.
The arrival of these “access brokers,” who’ve been linked to ransomware affiliates, suggests that an “increase in human-operated ransomware” may follow against both Windows and Linux systems, the company said in an update to a blog post on the critical Log4j vulnerability, known as Log4Shell.
Nation state activity
In the same post, Microsoft also said it has observed nation-state activity groups—tied to countries including China, Iran, North Korea, and Turkey—seeking to exploit the Log4j vulnerability. In one instance, an Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen “acquiring and making modifications of the Log4j exploit,” Microsoft said. “We assess that PHOSPHORUS has operationalized these modifications.”
The disclosures come after the first instances of ransomware payloads exploiting Log4Shell were disclosed. Security researchers at Bitdefender observed an attempt to deploy a new strain of ransomware, Khonsari, using the Log4Shell vulnerability that was disclosed last Thursday.
Researchers have also told VentureBeat that they’ve observed attackers potentially laying the groundwork for launching ransomware in a range of ways, such as deploying privilege escalation tools and bringing malicious Cobalt Strike servers online in recent days. Cobalt Strike is a popular tool for enabling remote reconnaissance and lateral movement in ransomware attacks.
Microsoft itself, on Saturday, had reported seeing the installation of Cobalt Strike through the exploitation of the Log4j vulnerability.
Now, Microsoft said it has observed activities by cyber criminals aimed at establishing a foothold inside a network using Log4Shell, with the expectation of selling that access to a “ransomware-as-a-service” operator.
In the blog post update, Microsoft’s threat research teams said that they “have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks.”
“These access brokers then sell access to these networks to ransomware-as-a-service affiliates,” the Microsoft researchers said in the post. Ransomware-as-a-service operators lease out ransomware variants to other attackers, saving them the effort of creating their own variants.
In terms of the access brokers, Microsoft researchers said they “have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.”
A growing threat
According to a previous report from Digital Shadows, these so-called “initial access brokers” have had a “growing role” in the cyber criminal space.
“Rather than infiltrating an organization deeply, this type of threat actor operates as a ‘middleman’ by breaching as many companies as possible and goes on to sell access to the highest bidder – often to ransomware groups,” Digital Shadows said.
Sean Gallagher, a senior threat researcher at Sophos, told VentureBeat on Tuesday that he has been expecting to see targeted efforts to plant backdoors in networks, including by access brokers who would then sell the backdoor to other criminals. “And those other criminals will inevitably include ransomware gangs,” Gallagher said.
At the time of this writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j.
All in all, researchers said they do expect ransomware attacks to result from the vulnerability in Log4j, as the vulnerability is both widespread and considered trivial to exploit. Many applications and services written in Java are potentially vulnerable to Log4Shell, which can enable remote execution of code by unauthenticated users. Researchers at cybersecurity giant Check Point said they’ve observed attempted exploits of the Log4j vulnerability on more than 44% of corporate networks worldwide.
“We haven’t necessarily seen direct ransomware deployment, but it’s just a matter of time,” said Nick Biasini, head of outreach at Cisco Talos, in an email Tuesday. “This is a high-severity vulnerability that can be found in countless products. The time required for everything to be patched alone will allow various threat groups to leverage this in a variety of attacks, including ransomware.”
The vulnerability comes with the majority of businesses already reporting that they’ve had first-hand experience with ransomware over the past year. A recent survey from CrowdStrike found that 66% of organizations had experienced a ransomware attack in the previous 12 months, up from 56% in 2020. And the average ransomware payment has surged by about 63% in 2021, reaching $1.79 million, the report said.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more