Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more
For cybercriminal operators specializing in ransomware, the business was already pretty good before Apache’s widely used Log4j logging software revealed easy-to-exploit vulnerabilities. But a number of indicators suggest that due to the Log4j vulnerability, known as Log4Shell, opportunities in the ransomware business are to be found in greater abundance. To the detriment of everyone else.
Defenders, of course, are doing their best to prevent this from happening. But according to security researchers, signs have surfaced indicating that ransomware attacks are inevitable in the coming months but thanks to a flaw in Log4j, which was announced just a week ago.
A troubling indicator in recent days has been the activity of “early access brokers” – cybercriminals whose specialty is entering the network and then installing backdoors to enable entry and exit without investigation. Later, they sell this access to ransomware operators who carry out actual attacks — or sometimes “ransomware-a-service” outfits, according to security researchers. Ransomware-a-service operators lease ransomware variants to other attackers, saving them efforts to create their own variants.
Microsoft reported this week that it has observed activity through suspicious access brokers linked to ransomware affiliates, who have now exploited vulnerabilities in Log4j. This suggests that an “increase in human-powered ransomware” will follow against both Windows and Linux systems, Microsoft said.
At cybersecurity giant Sophos, the company has seen activity trying to install Windows backdoor that points to access to brokers, said Sean Galagher, senior risk researcher at Sophos Labs.
“You can guess they’re probably access brokers or other cybercriminals who could sell access on the sidelines,” Gallagher told VentureBeat.
Ransomware gang activity
Other related developments include a report from cyber firm AdvIntel that a major ransomware gang, Conti, was found to be using vulnerabilities in Log4j to gain access and move sideways on weak VMware vCenter servers. VentureBeat has reached out to VMware for comment.
Log4Shell vulnerabilities may still take weeks or months to result in the first successful ransomware attack, Gallagher noted. Ransomware operators will often export the company’s data for a certain period of time before springing up ransomware encrypting the company’s files, Gallagher said. This allows the operator to later ransom the company in return for not releasing their data on the web.
“It may take a while to see the real impact in terms of what people have gained access to and what the economic impact of that access is,” Gallagher said.
The growing threat
The problem with ransomware has already gotten worse this year. In the first three quarters of 2021, SonicWall reported a 148% year-over-year increase in ransomware attack attempts. CrowdStrike reports that average ransomware payments rose 63% to $ 1.79 million in 2021.
According to a recent CrowdStrike report, more than 56% of the company’s 2020 report, 66% of companies have experienced ransomware attacks in the past 12 months.
This year’s high-profile ransomware incidents include attacks on fuel pipeline operator Colonial Pipeline, meat processing firm JBS Foods and IT management software firm Cassia – all of which had far-reaching implications beyond their corporate walls.
Log4j’s vulnerability has received overwhelming response from security teams. But even so, according to researchers, ransomware attacks are more likely to detect defects.
“If you’re a ransomware affiliate or operator right now, you’ll suddenly have access to all of these new systems,” Gallagher said. “There’s more work on your hands than you know what to do right now.”
Many applications and services written in Java are potentially vulnerable to Log4Shell, which may enable remote execution of code by unauthorized users. Researchers at the cybersecurity giant Checkpoint said they have observed Log4j vulnerability attempts on more than 44% of corporate networks worldwide.
Meanwhile, research by cyber firm Bloomira suggests that an additional attack vector in the Log4j defect may be vulnerable, not only to the vulnerable server પણ but also to individuals browsing the web from a machine with unpacked Log4j software on it. (“At this time, there is no evidence of active exploitation,” Bloomira said.)
Attempts at ransomware delivery have already been made using vulnerabilities in Log4j. Bitdefender and Microsoft this week reported attack attempts using a new family of ransomware called Khonsari, which exploited the flaw. Microsoft also said that an Iranian group called Phosphorus, which had previously deployed ransomware, had “acquired Log 4 which has been seen as acquiring and modifying exploitation.”
At the time of writing, there has been no public announcement of a successful ransomware breach exploiting vulnerabilities in Log4j.
“We haven’t seen direct ransomware deployments, but it’s just a matter of time,” Nick Beasini, Cisco Telus’ head of outreach, said in an email this week. “This is a high-intensity vulnerability that can be found in many products. The time required to patch everything alone will allow different risk groups to take advantage of it in a variety of attacks, including ransomware.
What about Kronos?
So far, there’s still no indication as to whether last Saturday’s ransomware attack against Kronos Private Cloud had anything to do with the Log4j vulnerability. The attack is widely felt, with workers at many companies who use the software for their payroll potentially having their paychecks delayed.
In an update on Friday, the business’s parent company, Ultimate Cronus Group (UKG), said the question of whether Log4j was a factor was still under investigation – although the company noted it was quickly patching up for vulnerabilities.
“As soon as the Log4j vulnerability was recently reported to the public, we initiated rapid patching processes at UKG and our subsidiaries, as well as actively inspecting our software supply chain for any advice on third-party software that may be affected by this vulnerability,” the company said. “We are currently investigating whether there is a link between the latest Kronos private cloud security incident and the Log4j vulnerability.”
The company made no further comment when it arrived via VentureBeat on Friday.
Fictionally, even if the attack was enabled by Log4j vulnerability, it is “absolutely possible” that UKG would never be able to point it out, Gallagher noted.
“There are times when you have no way of knowing what the starting point of access was for a ransomware operator,” he said. “When they’re done, you’re poking through the ashes with a rack trying to figure out what happened. Sometimes you can find pieces that tell you [how it occurred], And sometimes you don’t. It is quite possible that, if it were Log4j, they would have no idea. “
VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technologies and strategies so you can lead your organizations. We invite you to access, to become a member of our community:
- Up-to-date information on topics of interest to you
- Our newsletters
- Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
- Networking features and more
Become a member