Home News Threat Actors Exploit Log4j Vulnerability to Deploy Khonsari Ransomware

Threat Actors Exploit Log4j Vulnerability to Deploy Khonsari Ransomware

Researchers found a second vulnerability in the Apache Log4j library exploited by attackers to deploy a new ransomware Khonsari and a Trojan Orcus

Log4j Vulnerability, Log4Shell

Days after the disclosure of Log4Shell, a critical zero-day vulnerability CVE-2021-44228 in the Apache Log4j library, researchers have now identified threat actors exploiting the Log4Shell flaw to deploy a new ransomware variant Khonsari and a remote access Trojan Orcus.

Threat actors allegedly exploited the flaw using botnets like Mirai and Muhstik against vulnerable systems to spread malware. According to a report from Bitdefender, attackers targeted Linux servers and systems running on the Windows operating system.

“This attempt to exploit the Log4j vulnerability uses the malicious hxxp://3.145.115[.]94/Main class to download an additional payload. On Sunday, 11th December, Bitdefender observed this payload as a malicious .NET binary file download from hxxp://3.145.115[.]94/zambo/groenhuyzen.exe. This is a new ransomware family Khonsari after the extension used on the encrypted files. Once executed, the malicious file will list all the drives and encrypt them entirely, except the C:\ drive,” the report said.

Second Log4j Vulnerability Discovered

The second critical vulnerability (CVE-2021-45046) affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, and could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern to craft malicious input data using a JNDI Lookup pattern resulting in a DDoS attack. However, CVE-2021-45046 can be mitigated by applying the patch released by the Apache Software Foundation (ASF) in its latest advisory.

CISA Recommends Fixing Log4Shell Flaw Before Christmas

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently notified organizations to patch the affected and vulnerable systems to the Log4Shell flaw by Christmas. CISA added the Log4Shell vulnerabilities to its actively-exploited security flaws list along with 12 other vulnerabilities. In addition, the agency also announced a dedicated portal that provides guidance on the Log4Shell vulnerability to all public and private sector organizations in the U.S.

“For these vulnerabilities to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement these security updates. Users of such products and services should refer to the vendors of these products/services for security updates,” CISA said.

Experts Take on the Issue

Glen PendleyCommenting on the rising threats with Log4j vulnerability, Glen Pendley, Deputy  Chief Technology Officer at Tenable, said, “Log4Shell, a critical vulnerability in Apache Log4j, is in a league above every other vulnerability we’ve seen in the last few decades. It gives flaws like Heartbleed and Shellshock, a run for their money because of just how pervasive and devastating it is. Everything across heavy industrial equipment, network servers, down to printers, and even your kid’s Raspberry Pi is potentially affected by this flaw. Some affected systems may be on-premises, others may be hosted in the cloud, but no matter where they are, the flaw is likely to have an impact.

Cybercriminals are already rubbing their hands with glee as early signs of ransomware activity have started to emerge. The worst part is, we aren’t even in the thick of it yet. Don’t be surprised when some major disruptions occur over the next few weeks and months, pointing at Log4j as the root cause.”