How the cybercriminal underground reacted to Log4j

Given that attackers often race to take advantage of vulnerabilities in any way they can, Intel 471 wants to explain what we have observed on the underground.

Dec 22, 2021

The Log4j vulnerability has rocked the IT world, with the vast majority of tech teams consumed with trying to gauge how it impacts their organizations. The popular logging tool is used in tens of thousands of software packages, so assessing the damage that could be inflicted by exploiting the vulnerability is an extremely tall task for the information security community. Given that attackers often race to take advantage of vulnerabilities in any way they can, Intel 471 wants to explain what we have observed across the cybercrime underground. There is a tremendous amount of noise surrounding the vulnerability, so it’s crucial for security teams to understand what to focus on in order to fix things as soon as possible and limit any impact.

Malware

Intel 471 identified several malware families attempting to exploit the Log4j vulnerability since its announcement. Some include mass-malware families such as the Mirai and Mushtik aka Tsunami botnets, which typically are used for distributed denial-of-service (DDoS) attacks. We also observed an attempted exploit from the Kinsing malware, which typically is used to mine cryptocurrency.

Intel 471 also identified three main open source tools threat actors abused in real exploitation scenarios and mentioned across undergrounds channels. The tools have a similar purpose – to set up malicious infrastructure to answer Log4j’s Java Naming and Directory Interface (JNDI) lookups.

As this blog was being written, other security researchers found evidence that threat actors exploited the vulnerability to push Dridex binaries from at least two botnets. If these botnets have successfully managed to push Dirdex through this vulnerability this may lead to ransomware attacks, due to the known link between Dridex malware and ransomware variants.

Threat Actors

Generally, there has been limited threat actor activity detected discussing this vulnerability. Nevertheless, activity observed by Intel 471 relates to the sharing of this vulnerability, its impact to businesses and proof-of-concept (PoC) codes.

What organizations can do

Since this vulnerability can enable a threat actor to remotely execute arbitrary code on a vulnerable system, it is highly likely we will see significant interest in the vulnerability from several threat actors, with the most concerning being ransomware operators. If left unpatched, it is highly likely ransomware operators will seek to exploit this vulnerability to conduct attacks against vulnerable businesses. The most significant risk is posed by ransomware-as-a-service (RaaS) operators, since their numbers are plentiful and affiliates can target a significant number of businesses at the same time. With current top ransomware operators averaging one to two attacks per day in the third quarter of 2021, this cadence puts many businesses at risk of being targeted through this vulnerability if it is not patched.

It is also likely we will see several access brokers attempt to exploit the vulnerability to generate a quick profit. The known link between access brokers and ransomware operators makes it probable we will observe known access brokers attempting to sell access to impacted businesses over the next few weeks, with ransomware operators purchasing it.

Remediation

It is highly recommended that users upgrade Log4j to the latest version. Where upgrading Log4j is not feasible instantaneously, exploitation attempts still can be averted by removing the JndiLookup class from the classpath.

This incident is just beginning to unfold and will continue to be fluid for some time. Intel 471 will continue to issue updates as information becomes available via its Log4j vulnerability SITREP.