Nation-State, Ransomware Groups Using Log4j Bug In Attacks

Hackers in China, Iran, North Korea, and Turkey are capitalizing on the Log4j flaw, with Iran’s Phosphorus group modifying the exploit and China’s Hafnium group hitting virtualization infrastructure, Microsoft said.

A variety of state-sponsored threat actors, ransomware groups and ransomware access brokers have begun leveraging the Log4j vulnerability in active attacks, Microsoft and other IT vendors reported.

The Redmond, Wash.-based software giant said Tuesday that government-backed adversaries in China, Iran, North Korea, and Turkey have exploited the Log4j bug against targets to further the hackers’ objectives. Nation-state activity associated with the Log4j flaw ranges from experimentation during development to integrating the vulnerability into in-the-wild payload development, Microsoft said.

Microsoft specifically called out Iranian ransomware group Phosphorus for acquiring, making modifications, and operationalizing modifications to the Log4j exploit. In addition, Microsoft said Chinese threat actor Hafnium has capitalized on Log4j to extend their typical targeting by attacking virtualization infrastructure.

id
unit-1659132512259
type
Sponsored post

[Related: 12 Cybersecurity Vendors Susceptible To The Log4j Vulnerability]

In these attacks, Microsoft said Hafnium-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems. The Biden administration in July formally accused Hafnium - which is affiliated with China’s Ministry of State Security (MSS) - of exploiting Microsoft Exchange Server vulnerabilities during a massive cyberattack in the winter of 2021.

Similarly, Sunnyvale, Calif.-based endpoint security vendor CrowdStrike said Tuesday it has identified a malicious Java class file hosted on infrastructure associated with a nation-state actor. The Java code is used to download known instances of adversary-specific tooling and is likely to be used in conjunction with the Log4j vulnerability. CrowdStrike didn’t specify which nation-state group it saw doing this.

“Numerous adversaries have been conducting active, widespread exploitation of [the Log4j bug] since Dec. 9, 2021,” the CrowdStrike Intelligence Team wrote in a blog post. “This assessment is made with high confidence based on the trivial nature of the exploit as well as internal and external data sources that indicate a massive increase in traffic.”

Outside of the nation-state space, Microsoft said Tuesday that access brokers have begun using the Log4j vulnerability to gain initial access to target networks. These access brokers then sell access to the networks to ransomware-as-a-service affiliates. Access brokers have attempted to exploit both Windows and Linux systems with the Log4j bug, which may lead to an increase in human-operated ransomware.

“Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives,” Microsoft’s unified threat intelligence team wrote in a blog post. “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.”

Meanwhile, Bucharest, Romania-based endpoint security vendor Bitdefender said the nascent Khonsari ransomware family has attempted to exploit the Log4j vulnerability against users running Windows operating systems. A malicious .NET binary file downloaded as part of the ransomware attack will list all of the drives on the user’s system and encrypt them entirely, except the C:\ drive, Bitdefender said.

On the C:\ drive, Bitdefender said, Khonsari encrypts only the Documents, Videos, Pictures, Downloads and Desktop files. A ransom note from Khonsari is written in the Desktop folder of the C:\ drive and opened with Notepad, according to Bitdefender.

“Your files have been encrypted and stolen by the Khonsari family,” Khonsari writes in its ransom note, according to Bitdefender. “If you wish to decrypt, call (***) ***-1309 or email kar***[email protected] you do not know how to buy btc [Bitcoin], use a search engine to find exchanges.DO NOT MODIFY OR DELETE THIS FILE OR ANY ENCRYPTED FILES. IF YOU DO, YOUR FILES MAY BE UNRECOVERABLE.”

All told, San Carlos, Calif.-based platform security vendor Check Point Software Technologies said Wednesday it has observed attempted exploits of the Log4j vulnerability on 46 percent of corporate networks globally. The three most targeted industries have been SI/VAR/distributor, education/research, and ISP/MSP, where exploits have been attempted against 59 percent, 57 percent, and 55percent of organizations, respectively, Check Point reported.

“We see a pandemic-like spread since the outbreak on Friday,” Check Point wrote in a blog post. “It is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable.”