Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware

Romanian cybersecurity technology company Bitdefender on Monday
revealed that attempts are being made to target Windows machines
with a novel ransomware family called Khonsari^[1]
as well as a remote access Trojan named Orcus^[2]
by exploiting the recently disclosed critical Log4j
vulnerability^[3].

The attack leverages the remote code execution flaw to download
an additional payload, a .NET binary, from a remote server that
encrypts all the files with the extension “.khonsari” and displays
a ransom note that urges the victims to make a Bitcoin payment in
exchange for recovering access to the files.

The vulnerability is tracked as CVE-2021-44228^[4]
and is also known by the monikers “Log4Shell” or “Logjam.” In
simple terms, the bug could force an affected system to download
malicious software, giving the attackers a digital beachhead on
servers located within corporate networks.

Log4j is an open-source Java library maintained by the nonprofit
Apache Software Foundation. Amassing about 475,000 downloads^[5]
from its GitHub project and adopted widely for application event
logging, the utility is also a part of other frameworks, such as
Elasticsearch, Kafka and Flink, that are used in many popular
websites and services.

The disclosure comes as the U.S. Cybersecurity and
Infrastructure Security Agency (CISA) sounded an alarm warning^[6]
of active, widespread exploitation of the flaw that, if left
unaddressed, could grant unfettered access and unleash a new round
of cyber attacks, as fallout from the bug has left companies
rushing to find and patch vulnerable machines.

“An adversary can exploit this vulnerability by submitting a
specially crafted request to a vulnerable system that causes that
system to execute arbitrary code,” the agency said^[7]
in guidance issued Monday. “The request allows the adversary to
take full control over the system. The adversary can then steal
information, launch ransomware, or conduct other malicious
activity.”

Furthermore, CISA has also added^[8]
the Log4j vulnerability to its Known Exploited Vulnerabilities
Catalog^[9], giving federal agencies
a deadline of December 24 to incorporate patches for the flaw.
Similar advisories have been previously issued by government
agencies in Austria^[10], Canada^[11], New Zealand^[12], and the U.K^[13].

So far, active exploitation attempts^[14] recorded in the wild
have involved the abuse of the flaw to rope the devices into a
botnet, and drop additional payloads such as Cobalt Strike and
cryptocurrency miners. Cybersecurity firm Sophos said it also
observed^[15] attempts to exfiltrate
keys and other private data from Amazon Web Services.

In a sign that the threat is rapidly evolving, Check Point
researchers cautioned^[16] of 60 new variations of
the original Log4j exploit being introduced in less than 24 hours,
adding it blocked more than 845,000 intrusion attempts, with 46% of
the attacks staged by known malicious groups.

A vast majority of the exploitation attempts against Log4Shell
have originated in Russia (4,275), based on telemetry data^[17] from Kaspersky,
followed by Brazil (2,493), the U.S. (1,746), Germany (1,336),
Mexico (1,177), Italy (1,094), France (1,008), and Iran (976). In
comparison, only 351 attempts were mounted from China.

The mutating nature of the exploit notwithstanding, the
prevalence of the tool across a multitude of sectors has also put
industrial control systems and operational technology environments
that power critical infrastructure on high alert.

“Log4j is used heavily in external/internet-facing and internal
applications which manage and control industrial processes leaving
many industrial operations like electric power, water, food and
beverage, manufacturing, and others exposed to potential remote
exploitation and access,” said^[18] Sergio Caltagirone,
vice president of threat intelligence at Dragos. “It’s important to
prioritize external and internet-facing applications over internal
applications due to their internet exposure, although both are
vulnerable.”

The development once again highlights how major security
vulnerabilities identified in open-source software could spark a
serious threat to organizations that include such off-the-shelf
dependencies in their IT systems. The broad reach aside, Log4Shell
is all the more concerning for its relative ease of exploitation,
laying the foundation for future ransomware attacks.

“To be clear, this vulnerability poses a severe risk,” CISA
Director Jen Easterly said^[19]. “This vulnerability,
which is being widely exploited by a growing set of threat actors,
presents an urgent challenge to network defenders given its broad
use. Vendors should also be communicating with their customers to
ensure end users know that their product contains this
vulnerability and should prioritize software updates.”