Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
As cybersecurity teams grapple with having to potentially patch their systems for a third time against Apache Log4j vulnerabilities, additional malware strains exploiting the flaws and an attack against a European military body have come to light.
Security firm Check Point reported Monday it has now observed attempted exploits of vulnerabilities in the Log4j logging library on more than 48% of corporate networks worldwide, up from 44% last Tuesday.
On Monday, the defense ministry in Belgium disclosed that a portion of its network was shut down in the wake of a cyber attack that occurred last Thursday. A spokesperson for the ministry told a Belgian newspaper, De Standaard, that the attack had resulted from an exploitation of the vulnerability in Log4j. VentureBeat has reached out to a defense ministry spokesperson for comment.
The report did not say whether or not the attack involved ransomware, but a translation of the report indicates that the Belgian defense ministry initiated “quarantine measures” to isolate the “affected areas” of its network.
Additional malware strains
Meanwhile, the Cryptolaemus security research group on Monday reported that it has verified that Dridex, a malware strain that targets financial institutions, has been delivered through an exploit of the vulnerability in Log4j. The Dridex payloads have been delivered onto Windows devices, the research group said on Twitter.
Researchers have previously reported that they’ve observed the use of Mirai and Muhstik botnets to deploy distributed denial of service (DDoS) attacks using the Log4j flaw, as well as deployment of Kinsing malware for crypto mining. Cisco Talos previously reported observing email-based attacks seeking to exploit the vulnerability.
Akamai Technologies said in a blog post that along with crypto miners and DDoS bots, “we have found certain aggressive attackers performing a huge volume of scans, targeting Windows machines” by leveraging the vulnerability in Log4j.
“Attackers were trying to deploy the notorious ‘netcat’ backdoor, a known Windows privilege escalation tool, which is commonly used for subsequent lateral movement or gaining privileges to encrypt the disk with ransomware,” the company’s security threat research team said.
Researchers at Uptycs said they’ve observed attacks using the Log4j vulnerability that have involved delivery of botnet malware (Dofloo, Tsunami/Muhstik, and Mirai), coin miners (Kinsing and XMRig), and an unidentified family of Linux ransomware (which included a ransom note).
“We can expect to see more malware families, especially ransomware, leverage this vulnerability and penetrate into victims’ machines in the coming days,” Uptycs researchers said in the post Monday.
At the time of this writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j, though a number of ransomware delivery attempts using the flaw have been observed.
Researchers report having seen the attempted delivery a new family of ransomware, Khonsari, as well as an older ransomware family, TellYouThePass, in connection with the Log4j vulnerability.
Researchers at Microsoft have also spotted activities by suspected access brokers—looking to establish a backdoor in corporate networks that can later be sold to ransomware operators—while Log4j exploits by ransomware gang Conti have been observed, as well.
Notably, Microsoft and cyber firm Mandiant said last week that they’ve observed activity from nation-state groups—tied to countries including China and Iran—seeking to exploit the Log4j vulnerability. Microsoft said that an Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen “acquiring and making modifications of the Log4j exploit.”
Companies’ patching efforts have been complicated by the vulnerabilities that have been discovered in the first two patches for Log4j over the past week.
Apache on Friday released version 2.17 of Log4j—the organization’s third patch for vulnerabilities in the open-source software since the initial discovery of a remote code execution (RCE) vulnerability, known as Log4Shell, on Dec. 9. Version 2.17 addresses a potential for denial of service (DoS) attacks in version 2.16, which had been released last Tuesday. The severity for the vulnerability is rated as “high,” and the bug was independently discovered by several individuals, including researchers at Akamai and at Trend Micro.
Version 2.16, in turn, had fixed an issue with the version 2.15 patch for Log4Shell that did not completely address the RCE issue in some configurations.
Additionally, a discovery by cyber firm Blumira last week suggests there may be an additional attack vector in the Log4j flaw, whereby not just vulnerable servers — but also individuals browsing the web from a machine with unpatched Log4j software on it — might be vulnerable. (“At this point, there is no proof of active exploitation,” Blumira said.)
Many applications and services written in Java are potentially vulnerable due to the flaws in Log4j prior to version 2.17. The RCE flaws can enable remote execution of code by unauthenticated users.
Along with enterprise products from major vendors including Cisco, VMware, and Red Hat, the vulnerabilities in Log4j affect many cloud services. Research from Wiz provided to VentureBeat suggests that 93% of all cloud environments were at risk from the vulnerabilities, though an estimated 45% of vulnerable cloud resources have been patched at this point.
Thus far, there is still no indicator on whether the widely felt ransomware attack against Kronos Private Cloud had any connection to the Log4j vulnerability or not. The parent company of the business, Ultimate Kronos Group (UKG), said in its latest update Sunday that the question of whether Log4j was a factor is still under investigation — though the company has noted that it did quickly begin patching for the vulnerability.
Still, the likelihood of upcoming ransomware attacks that trace back to the Log4j vulnerabilities is high, according to researchers.
“If you are a ransomware affiliate or operator right now, you suddenly have access to all these new systems,” said Sean Gallagher, a senior threat researcher at Sophos Labs, in an interview with VentureBeat on Friday. “You’ve got more work on your hands than you know what to do with right now.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more