Log4j exploits attempted on 44% of corporate networks; ransomware payloads spotted

Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

Cyber ​​attackers seeking to exploit widespread vulnerabilities in Apache Log4j have continued to expand their reach and have begun attempting to launch potentially more serious attacks such as ransomware, cyber security researchers said.

Researchers at cybersecurity giant Checkpoint today said they have observed Log4j vulnerability attempts on more than 44% of corporate networks worldwide, known as Log4Shell. According to Check Point, it is up from 40% a day earlier.

Cloudflare CEO Matthew Prince said Tuesday morning On Twitter That “payloads [are] Is becoming scary. Ransomware payloads have begun to be implemented in the last 24 hours. ” Cloudflare declined to comment further.

Ransomware spotted

The cyber firm Bitdefender, meanwhile, reports that it has discovered attempts to deploy ransomware payloads targeting Windows systems by exploiting the Log4j vulnerability.

The attacker demanded the installation of a new ransomware family, Khonsari, in the name of the extension found in the payload’s encrypted files. While Bitdefender has seen multiple attempts to deploy this ransomware, “Khonsari is not widespread at this point,” Martin Zugek, Bitdefender’s director of technical solutions, said in an email.

Other threat researchers told VentureBeat that they have yet to observe ransomware payloads that have taken advantage of the Log4j vulnerability.

“We haven’t seen direct ransomware deployments, but it’s just a matter of time,” Nick Beasini, Cisco Telus’ head of outreach, said in an email. “This is a high-intensity vulnerability that can be found in many products. The time required to patch everything alone will allow different risk groups to take advantage of it in various attacks, including ransomware. “

Checkpoint said it had not seen ransomware attempts related to Log4j, but spokesman Ekram Ahmed said the company viewed ransomware attacks as “highly probable.”

Akamai has seen attackers trying to target Windows machines and try to use privileged escalation tools like winPEAS, said Aparna Raisam, general manager of application security at the company.

“This is groundwork for enabling activities like ransomware,” Rice said in an email. However, “only a small percentage of the overall attacks we’ve seen so far appear to be related to ransomware. Most of the requests appear to be related to espionage, “she said.

‘More aggressive attacks’ are coming

In its blog update on Tuesday, Checkpoint researchers reported that they were tracking a malware attack found on an IP address in the US that hosts malicious files, including Crypto Miner and Cobalt Strike. The Cobalt Strike tool is popular with ransomware gangs for activities such as remote surveillance and lateral movement, and Microsoft had previously reported looking at the installation of the tool in connection with the Log4j exploitation.

The company has seen an increase in malicious cobalt strike servers coming online in recent days, said Matt Olney, director of threat intelligence and blocking at Cisco Telus.

“Except for the constant attempts to drop cryptocurrency miners and mining botnets, we’re seeing a relatively quiet period compared to the initial checks for vulnerabilities observed over the weekend,” Sean Gallagher, a senior threat researcher at Sophos, told VentureBeat today.

“But based on past experience with vulnerabilities such as Log4j, we expect this to be followed by more aggressive attacks,” Gallagher said in an email. “This would include targeted attempts to gain access to sensitive systems to steal data or plant backdoor to allow long-term data theft by spies, access brokers (who sell back doors to others), and other cybercriminals.” And those other criminals will inevitably include ransomware gangs.

Extensive defects

Log4j is an open source logging library that is widely used in enterprise software and cloud services. Many applications and services written in Java are potentially vulnerable to Log4Shell, which may enable remote execution of code by unauthorized users.

This defect is considered extremely dangerous due to the widespread use of Log4j and because the vulnerability is considered trivial to exploit. Most of the use of Log4j is made indirectly, making search and prevention more difficult – the logging library is often used by Java frameworks such as Apache Struts 2, Apache Solr and Apache Druid.

Viz’s internal research suggests that over 89% of all environments are sensitive Log4j libraries. Log4Shell vulnerability was revealed late Thursday night.

The deployment of malware using Log4Shell has been going on for days, with researchers reporting that they have seen the use of Mirai and Mohastik botnets to deploy distributed denial of service (DDoS) attacks as well as Kinsing malware for crypto mining. Cisco Telus today observed email-based attacks seeking to exploit Log4Shell.

A series of attacks

Along with Khonsari Ransomware, BitDefender also reported efforts to deploy Orcus remote access Trojans, mahogany botnets and reverse bash shells for future attacks, as well as successful coin miner attacks. The company’s telemetry has detected a total of 7,000 attack attempts based on Log4j vulnerabilities, Zugec told VentureBeat.

At the time of writing, there has been no public announcement of a successful ransomware breach exploiting vulnerabilities in Log4j.

Following the ransomware attack on the human resources software firm Kronos on Saturday, according to a recent company update, there is “no indication” of a connection to the Log4j vulnerability, a confirmed spokesperson representing the latest information. However, the company said it was investigating the possibility.

Cronos and the Virginia state legislature, which witnessed the ransomware attack on Friday, are both known to use Java or have licenses to use it, according to a report by Ars Technica. A spokesman for the Virginia state legislature was not immediately available for comment Tuesday.


VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technology and strategies to guide you as you lead your organization. We invite you to access, to become a member of our community:

  • Up-to-date information on topics of interest to you
  • Our newsletters
  • Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
  • Networking features and more

Become a member

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *