Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
Researchers at major cybersecurity firms say they’re seeing indications of attackers exploiting Log4Shell, the widespread Apache Log4j vulnerability, in ways that might be laying the groundwork for a ransomware attack.
Microsoft’s threat intelligence teams reported on Saturday that they’ve seen Log4Shell exploited to install Cobalt Strike, a popular tool with cybercriminals that is often seen as a precursor to deploying ransomware.
Cisco’s threat intelligence team, Talos, hasn’t directly seen the installation of Cobalt Strike so far—but “we’ve seen an increase in malicious Cobalt Strike servers online that may be supporting infrastructure,” said Matt Olney, director of threat intelligence and interdiction at Cisco Talos, in an email to VentureBeat.
And researchers at Sophos have seen “signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks,” said Sean Gallagher, a senior threat researcher at Sophos, in a statement circulated to media.
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
At the time of this writing, no ransomware groups are publicly known to have exploited the vulnerability in Log4j to deploy a ransomware attack.
The Log4Shell vulnerability was revealed late Thursday and impacts a broad swath of enterprise software and cloud services. The vulnerability affects any application that uses Apache Log4j, an open source logging library, and many applications and services written in Java are potentially vulnerable.
Along with being widespread, the flaw is also considered highly dangerous because it’s seen as fairly easy to exploit. The remote code execution (RCE) vulnerability can ultimately enable an attacker to remotely access and control devices.
In its blog post published Saturday, Microsoft said that “at the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed.”
In particular, “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said.
Microsoft did not provide further details on the attacks. VentureBeat has reached out to Microsoft for any updated information.
Along with providing some of the largest platforms and cloud services used by businesses, Microsoft is a major cybersecurity vendor in its own right with 650,000 security customers.
Microsoft’s report of seeing Cobalt Strike installation is notable because the tool is “commonly abused by targeted ransomware,” said Chris Doman, cofounder and chief technology officer at cyber vendor Cado Security, in an email to VentureBeat.
Popular with cybercriminals
Cobalt Strike was originally a legitimate tool for penetration testing, but a leaked version of the platform’s source code reportedly appeared on GitHub in late 2020, and researchers say the tool has increasingly been leveraged by cybercriminals.
Use of Cobalt Strike by threat actors surged 161% in 2020, year over year, according to a recent report from Proofpoint. And the tool has been “appearing in Proofpoint threat data more frequently than ever” in 2021, the company said.
Many security researchers—including at Cisco Talos, VMware Carbon Black, and Accenture Security—have reported a significant correlation between the use of Cobalt Strike and ransomware attacks.
The Cobalt Strike tool is useful both because of its effectiveness—the tool launches a “beacon” enabling actions such as remote surveillance and lateral movement—as well as the “anonymity” it offers due to its popularity, VMware and Accenture researchers said in a recent threat research post.
“As the use of Cobalt Strike increases among ransomware operators, Accenture Security and Carbon Black have, in turn, observed attackers use Cobalt Strike Beacon capabilities, such as named pipes over Server Message Block (SMB) and WinRM to move laterally in targeted networks,” the researchers said in the post.
Deployment of malware that takes advantage of Log4Shell has already begun, with researchers reporting they’ve observed the use of Mirai and Muhstik botnets to deploy distributed denial of service (DDoS) attacks, as well as deployment of Kinsing malware for crypto mining.
It may only be a “matter of days” before ransomware might be deployed in connection with the vulnerability in Log4j, said David Warshavski, vice president of enterprise security at cybersecurity vendor Sygnia, in an email to VentureBeat.
Due to the broad reach of the vulnerability in Log4j, “the bar for ransomware threat actors to breach enterprise networks and establish an initial foothold has been lowered significantly,” Warshavski said.
The vulnerability comes with the majority of businesses already reporting that they’ve had first-hand experience with ransomware over the past year. A recent survey from CrowdStrike found that 66% of organizations had experienced a ransomware attack in the previous 12 months, up from 56% in 2020. And the average ransomware payment has surged by about 63% in 2021, reaching $1.79 million, the report said.
In terms of Log4Shell, managed detection and response firm Huntress so far has “not seen any serious attacks on our partners and their customers,” said Roger Koehler, vice president of threat ops at the company, in an email. “It’s a little early to hear of anything serious right now,” Koehler said.
However, “this is just the beginning, and we will be seeing this for a long time,” Koehler said.
Exploits began earlier
Researchers have also said that exploits of the vulnerability may have begun as far back as December 1 or December 2.
Cisco Talos said it has discovered attacker activity related to the Log4Shell vulnerability starting on December 2. “It is recommended that organizations expand their hunt for scanning and exploit activity to this date,” Talos researchers said.
Meanwhile, Matthew Prince, CEO of Cloudflare, said his company has found evidence of a Log4j exploit starting on December 1. “However, [we] don’t see evidence of mass exploitation until after public disclosure” on December 9, Prince said on Twitter.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.