Log4j flaw gets big attention from ‘ruthless’ ransomware gang

The prominent ransomware gang Conti has expanded its efforts to exploit the Apache Log4j vulnerability, likely seeing the widespread flaw as the basis for a new wave of attacks, according to security researchers.

Researchers at cybersecurity firms Qualys and AdvIntel told VentureBeat that they’ve observed activities by Conti to exploit the critical vulnerability in Log4j logging software, known as Log4Shell, in recent days.

Qualys has observed “attempted ransomware attacks, some of which have been successful – by Conti, Khonsari, and some nation-state-backed adversaries,” said Travis Smith, director of malware threat research at Qualys, in an email to VentureBeat. Specifics of the attacks were not disclosed.

Meanwhile, AdvIntel shared findings with VentureBeat indicating that Conti has assembled a full attack chain around the Log4Shell vulnerability and has launched initial attempted attacks. Late last week, AdvIntel became the first cyber firm to report spotting Conti in action around the Log4j vulnerability.

So far, there’s been no public disclosure of a successful ransomware breach stemming from the Log4j vulnerability. But the widespread and trivial-to-exploit flaw in Log4j “is a dream come true for ransomware groups,” said Eyal Dotan, founder and chief technology officer at Cameyo, in an email.

Full attack chain

Khonsari, which was the first ransomware family publicly disclosed by researchers to exploit Log4Shell, has now been joined by the Conti and TellYouThePass families of ransomware, according to researchers.

In its December 17 report, AdvIntel said that Conti has been observed to be exploiting the vulnerability in Log4j to gain access and move laterally on vulnerable VMware vCenter servers.

Since publishing that report, AdvIntel has observed additional activities by Conti around Log4Shell, the company told VentureBeat. Along with identifying Conti’s full attack chain, “we have seen and observed the direct usage [by Conti] across different cases targeting VMware vCenter,” AdvIntel CEO Vitali Kremez said in an email.

Conti’s attack chain includes deployment of the Emotet botnet and the use of Cobalt Strike for reconnaissance, privilege escalation, payload drop, and data-stealing operations, said Yelisey Boguslavskiy, head of research at AdvIntel, in an email to VentureBeat.

“For Conti, this is a major leap in their offensive operations, as they can now experiment and diversify their arsenal,” Boguslavskiy said. “This means, if a certain attack vector, like VPN accesses, becomes less profitable, they can always compensate by investing more in Log4j. Additionally, it gives them another edge in competition with smaller groups who can not afford the proper research to exploit such vulnerabilities efficiently.”

AdvIntel’s research on Conti’s activities was based on primary source intelligence, including victim breach intelligence and subsequent incident response, he said.

In a statement responding to the AdvIntel report, VMware said that “the security of our customers is our top priority” and noted that it has issued a security advisory that is updated regularly. “Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j,” the company said in the statement.

‘Ruthless’ organization

Conti is believed to be a Russian ransomware group that formerly went by the name Wizard Spider. In a June report, Richard Hickman of Palo Alto Networks’ Unit 42 research group said that Conti “stands out as one of the most ruthless of the dozens of ransomware gangs that we follow.”

“The group has spent more than a year attacking organizations where IT outages can have life-threatening consequences: hospitals, 911 dispatch carriers, emergency medical services, and law enforcement agencies,” Hickman wrote in the report.

For instance, a May 2021 attack in Ireland “prompted the shutdown of the entire information technology network of the nation’s healthcare system – prompting cancellation of appointments, the shutdown of X-ray systems and delays in COVID testing,” he wrote.

As of the June report, the FBI had found that more than 400 cyberattacks were connected to Conti—with three-fourths of the attacks against organizations based in the U.S. Ransom demands have reached upwards of $25 million, which also places Conti among the “greediest” ransomware groups, Hickman wrote.

Sophisticated attacks

Conti plays a significant role in today’s threat landscape due to its scale, Smith said.

“Conti is always after ransomware and is incredibly strategic and tactical with their approach,” he said. “They do not simply send out a mass spray of phishing emails—they look to gain footholds in environments and move around as quietly as possible until they locate crown jewels.”

Given that Log4Shell enables remote execution of code by unauthenticated users, “it’s going to make sophisticated actors such as Conti wildly successful,” Smith said. “It will allow groups to do reconnaissance, move laterally, and ultimately deploy ransomware.”

Conti faces less of a challenge in how to exploit Log4j and more of a challenge in competing with other threat actors for available attack opportunities, Dotan said. “The fastest ransomware groups able to reach most vulnerable servers would be winning this race,” he said.

And though major ransomware attacks deriving from Log4j have not yet come to light, that doesn’t mean that ransomware groups aren’t busy preparing.

“If you are a ransomware affiliate or operator right now, you suddenly have access to all these new systems,” said Sean Gallagher, a senior threat researcher at Sophos Labs. “You’ve got more work on your hands than you know what to do with right now.”

Preparations needed

Still, while the Log4j vulnerability itself is considered very easy to exploit, a fair amount of legwork is required to utilize it for deploying ransomware. Post-exploitation discovery work needs to take place before a major ransomware attack can be launched, said Ed Murphy, head of product at Huntress.

“It’s not a vulnerability that’s persistent across your and my laptop. So it’s not something I can just reach out and deploy a mass ‘spray and pray’ ransomware attack,” Murphy said in an interview.

Log4j affects servers, and most ransomware operators will not want to just ransom a single server, which probably has backups, he noted.

“Where they actually gain a lot of their income is by being able to affect an entire organization,” Murphy said. “That’s the kind of chaos where people are more willing to pay those ransom demands.”

Thus, after an attacker lands on a server on a corporate network, they’ll first have to figure out what other devices they can “talk to” from that server, he said. Then, they’ll have to figure out what applications are running on those devices—and determine how to make their way from the server to laptops that are connected to it, Murphy said.

This means that it might take some time before major ransomware attacks actually surface from the discovery of Log4Shell. “There’s activity that needs to happen after they’ve exploited the Log4j vulnerability to really gain more control over the network that they landed in,” Murphy said.

Widespread vulnerability

Many enterprise applications and cloud services written in Java are potentially vulnerable due to the flaws in Log4j prior to version 2.17, which was released last Friday. The open source logging library is believed to be used in some form—either directly or indirectly by leveraging a Java framework—by the majority of large organizations.

Version 2.17 of Log4j is the third patch for vulnerabilities in the software since the initial discovery of a remote code execution (RCE) vulnerability on December 9. Security firm Check Point reported Monday it has observed attempted exploits of vulnerabilities in Log4j on more than 48% of corporate networks worldwide.

The ransomware problem had already gotten much worse this year. For the first three quarters of 2021, SonicWall reported that attempted ransomware attacks surged 148% year-over-year. CrowdStrike reports that the average ransomware payment climbed by 63% in 2021, reaching $1.79 million.

Attempted attacks against targets in the U.S. and Europe have been observed using ransomware from the TellYouThePass family, Sophos researchers told VentureBeat on Tuesday.

Ransomware is just one of many major threats potentially posed by the Log4j vulnerability, however. There’s a higher, but less visible, danger related to Log4Shell, according to Dotan. And that is the existence of “sophisticated hacker groups and state-backed hackers who don’t intend to cash out on this opportunity right now,” he said.

Instead, those threat actors would “rather install a backdoor and secretly take control over injected servers over the coming months, without their owners knowing about it,” Dotan said.