Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability.
The attack leverages the remote code execution (RCE) flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension ".khonsari" and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files.
Tracked as CVE-2021-44228, the RCE vulnerability is also known by the monikers "Log4Shell" or "Logjam" and impacts versions 2.0-beta9 to 2.14.1 of the software library. In simple terms, the bug could force an affected system to download malicious software, giving the attackers a digital beachhead on servers located within corporate networks.
Log4j is an open-source Java library maintained by the nonprofit Apache Software Foundation. Amassing about 475,000 downloads from its GitHub project and adopted widely for application event logging, the utility is also a part of other frameworks, such as Elasticsearch, Kafka and Flink, that are used in many popular websites and services.
The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) sounded an alarm warning of active, widespread exploitation of the flaw that, if left unaddressed, could grant unfettered access and unleash a new round of cyber attacks, as fallout from the bug has left companies rushing to find and patch vulnerable machines.
"An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code," the agency said in guidance issued Monday. "The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity."
Furthermore, CISA has also added the Log4j vulnerability to its Known Exploited Vulnerabilities Catalog, giving federal agencies a deadline of December 24 to incorporate patches for the flaw. Similar advisories have been previously issued by government agencies in Austria, Canada, New Zealand, and the U.K.
So far, active exploitation attempts recorded in the wild have involved the abuse of the flaw to rope the devices into a botnet, and drop additional payloads such as Cobalt Strike and cryptocurrency miners. Cybersecurity firm Sophos said it also observed attempts to exfiltrate Amazon Web Services (AWS) keys and other private data from compromised systems.
In a sign that the threat is rapidly evolving, Check Point researchers cautioned of 60 new variations of the original Log4j exploit being introduced in less than 24 hours, adding it blocked more than 1,272,000 intrusion attempts, with 46% of the attacks staged by known malicious groups. The Israeli security company dubbed Log4Shell a "true cyber pandemic."
A vast majority of the exploitation attempts against Log4Shell have originated in Russia (4,275), based on telemetry data from Kaspersky, followed by Brazil (2,493), the U.S. (1,746), Germany (1,336), Mexico (1,177), Italy (1,094), France (1,008), and Iran (976). In comparison, only 351 attempts were mounted from China.
The mutating nature of the exploit notwithstanding, the prevalence of the tool across a multitude of sectors has also put industrial control systems and operational technology environments that power critical infrastructure on high alert.
"Log4j is used heavily in external/internet-facing and internal applications which manage and control industrial processes leaving many industrial operations like electric power, water, food and beverage, manufacturing, and others exposed to potential remote exploitation and access," said Sergio Caltagirone, vice president of threat intelligence at Dragos. "It's important to prioritize external and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable."
The development once again highlights how major security vulnerabilities identified in open-source software could spark a serious threat to organizations that include such off-the-shelf dependencies in their IT systems. The broad reach aside, Log4Shell is all the more concerning for its relative ease of exploitation, laying the foundation for future ransomware attacks.
"To be clear, this vulnerability poses a severe risk," CISA Director Jen Easterly said. "This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates."
