The Log4j vulnerability is so potent that it appears to have brought many of the retired and inactive malicious actors out of the woodwork.
Multiple cybersecurity researchers, including those from Sophos and Curated Intelligence, are now saying that they’ve spotted an attempted distribution of TellYouThePass, an old ransomware strain that was deemed inactive, through the Log4Shell vulnerability.
According to the researchers, the ransomware, last seen in July 2020, is being used against targets in China, the U.S., and Europe, including Amazon and Google cloud services. The malicious actors are targeting both Windows and Linux devices, with the version for the latter being able to steal Secure Socket Shell (SSH) keys and perform lateral movement.
Abusing Log4j to distribute ransomware is not that widespread just yet, the researchers are saying, noting they are yet to observe any activity from ransomware deployed this way.
However, that doesn’t mean ransomware operators aren’t moving in that direction. It could mean that they’re still in the reconnaissance phase, moving through compromised networks, mapping out endpoints and identifying key data.
Speaking to VentureBeat, Cisco Talos threat researcher Chris Neal says preventing malware detection is crucial for malicious actors at this point: “After initial access, these attackers will commonly choose to gain persistence, and then minimize their footprint to prevent detection and perform reconnaissance,” Neal said. “This type of behavior may account for the lack of ransomware campaigns utilizing this exploit being observed.”
Moving away from cryptomining
For the moment, cryptomining seems to be the most popular way to abuse the log4j flaw, but with ransomware offering a much higher - and faster - ROI, researchers are expecting threat actors to pivot quickly.
“Some of these small things, like a crypto miner, can end up just being that first stage of attack,” Roger Koehler, vice president of threat ops at Huntress, told VentureBeat. “Because they can go and sell that access on the black market. And somebody bigger and badder may buy that and do something more detrimental, like a ransomware attack.”
Ultimately, “those crypto miners can seem small, but that can escalate to something bigger.”
- You might also want to check out our list of the best firewalls right now