Log4j Vulnerability Already Being Used for New Ransomware
Posted by: GuidePoint Security
Published 12/22/21, 9:00am
It was only just over a week ago that the Log4j vulnerability, dubbed “Log4Shell”, was declared to be a “security meltdown” and “enterprise nightmare” with “tsunami impact,” by pundits across the cybersecurity industry. And now those pundits’ predictions are proving precariously precise, as the vulnerability has now been used to deliver a new strain of ransomware, named “Khonsari.”
Developed by the Apache Foundation, Log4j is a widely used Java-based logging library commonly used by both enterprises and home users. Millions of Java-based applications, including web-based ones, use the library. The vulnerability uses the Java Naming and Directory Interface to fetch, load, and execute content from remote servers.
Tracked as CVE-2021-44228, a proof-of-concept exploit for the remote code execution (RCE) vulnerability was published on 12/9, prior to the release of the Apache Log4j patch, which has now been released. Zero-day attacks began shortly thereafter.
In the case of the new ‘Khonsari’ ransomware, the JNDI lookup points the vulnerable application to a remote server to load a Java class that then downloads a .NET binary and begins encrypting files.
Interestingly, it doesn’t appear at present that the ransomware is designed to function as a means of collecting payment for decryption. The ransomware note dropped after execution doesn’t contain valid contact information to reach out to the threat actor, instead giving a phone number and email for a Louisiana antique shop. Since the note does not contain any information that would lead to a way for victims to successfully decrypt their files, there is a chance this ransomware’s true end design is destructive rather than extortive.
Next Steps
If you haven’t already, upgrade any instances of Log4j in your environment to v2.17.0 if possible. If you are using a vulnerable version of Log4j (versions 2.10 and above) and cannot upgrade, our Security Advisory blog on the vulnerability has other mitigations and recommendations you can apply.