Bitdefender, a Romanian cybersecurity technology firm, announced on Monday that attempts are being made to attack Windows devices with a unique ransomware family known as Khonsari, as well as a remote access Trojan known as Orcus, by leveraging the recently discovered serious Log4j vulnerability.
The attack takes advantage of the remote code execution (RCE) flaw to install an extra payload, a.NET binary, from a secluded server, which encrypts all data with the extension “.khonsari” and shows a ransom note urging victims to pay a Bitcoin ransom in return for regaining access to the data.
The RCE flaw tracked as CVE-2021-44228, is also called “Log4Shell” or “Logjam” and affects versions 2.0-beta9 through 2.14.1 of the software library. In layman’s terms, the bug could pressure an affected system to install malicious software, giving hackers a digital foothold on corporate network servers.
The Apache Software Foundation maintains Log4j, an open-source Java library. The utility has had over 475,000 installations from its GitHub repository and is extensively used for app event logging. It is also a component of other frameworks, such as Elasticsearch, Kafka, and Flink, which are used in several major web services.
The disclaimer comes from the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of active, widespread exploitation of the vulnerability, which, if left unresolved, could grant unrestricted access as well as unleash a new wave of cyberattacks, as companies scramble to find and patch susceptible machines.
“An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code,” the agency said in guidance issued Monday. “The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.”
In addition, CISA has listed the Log4j flaw to its Known Exploited Vulnerabilities Catalog, giving government agencies until December 24 to implement remedies for the bug. Similar warnings have already been published by government organizations in Austria, Canada, New Zealand, and the United Kingdom.
So far, active abuse attempts in the public have targeted exploiting the bug to hook the machines into a botnet and deliver additional payloads like Cobalt Strike and bitcoin miners. Sophos, a cybersecurity firm, reported seeing efforts to steal Amazon Web Services (AWS) keys and other confidential data from infected servers.
Check Point analysts warned of 60 new variants of the original Log4j vulnerability being published in less than 24 hours, indicating that the threat is fast developing, adding that it prevented more than 1,272,000 intrusion attempts, with 46 percent of the assaults conducted by known criminal groups. Log4Shell was labeled a “real cyber epidemic” by an Israeli security firm.
According to Kaspersky telemetry data, the great majority of Log4Shell exploitation attempts (4,275) originated in Russia, followed by Brazil (2,493), the United States (1,746), Germany (1,336), Mexico (1,177), Italy (1,094), France (1,008), and Iran (976). China, on the other hand, made just 351 tries.
Despite the exploit’s evolving nature, the tool’s widespread use in a variety of industries has put industrial control systems as well as operational technology settings that power vital infrastructure on constant alert.
“Log4j is used heavily in external/internet-facing and internal applications which manage and control industrial processes leaving many industrial operations like electric power, water, food and beverage, manufacturing, and others exposed to potential remote exploitation and access,” said Sergio Caltagirone, vice president of threat intelligence at Dragos. “It’s important to prioritize external and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable.”
The development underscores how severe security flaws discovered in open-source software can pose a substantial danger to enterprises that rely on such off-the-shelf dependencies in their IT systems. Aside from its extensive reach, Log4Shell is particularly troubling due to its relative simplicity of exploitation, laying the groundwork for future ransomware assaults.
“To be clear, this vulnerability poses a severe risk,” CISA Director Jen Easterly said. “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. Vendors should also be communicating with their customers to ensure end-users know that their product contains this vulnerability and should prioritize software updates.”
