Ransomware, Cloud Security, Cloud Security

Second ransomware group exploiting Log4j in China, Europe, and US

(“Java Logo” by mrjoro is licensed under CC BY-NC 2.0)

Researchers at Sophos and Curated Intelligence on Tuesday confirmed that a second ransomware family –TellYouThePass – has been exploiting the Apache Log4j vulnerability.

Sophos told VentureBeat that TellYouThePass – an older and dormant ransomware family – has come back to life and been discovered in China, as well as the United States and Europe.

First it was the Khonsari ransomware, and now TellYouThePass, said Anurag Gurtu, CPO at StrikeReady. Gurtu said he fully expects an “epidemic of attacks” will take place once ransomware-as-a-service gathers steam.

“It won't be long before the malicious IoC count crosses five figures,” Gurtu says. “Several malware families are being aggressively integrated into the kill-chain for attacks, including Kinsing, XMR, and Mirai. Because the Log4Shell vulnerability is so widespread, the attacks will continue for a long time and the threat actors are just getting started.”

John Bambenek, principal threat hunter at Netenrich, said the most surprising element of this news is why only two ransomware operators are using Log4j. Bambenek said it’s inevitable many threat actors will pile on as quickly as possible.

“It’s just surprised me why the adversary is adopting this vulnerability so slow,” Bambenek said. “This does highlight that ransomware families don’t die…they just take breaks from time to time because there is just so much easy money to be made.”

Davis McCarthy, principal security researcher at Valtix, added that ransomware operators will have a field day with Log4Shell. McCarthy said even if every organization patches their public-facing infrastructure, security researchers have already seen the vulnerability get used in malspam campaigns.

“Vulnerable software running on user endpoints and internal network resources will give an attacker plenty of remote access opportunities and lateral movement capabilities,” McCarthy said. “The fact that TellYouThePass operators had previously been dormant signals to me that they saw Log4Shell as an opportunity worth taking. Other ransomware groups, old and new, have likely concluded the same thing. If an organization doesn’t know how Log4j has impacted them, it’s imperative for them to monitor egress traffic, and flag lateral movement activity.”

Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber, viewed the TellYouThePass news as just the latest example of a multi-faceted ransomware attack.

“We need to get better as a cybersecurity industry at sufficient mitigation of known vulnerabilities or we will see more of what we saw with the SolarWinds exploit, but with the new ‘vulnerability of the day’ used instead,” Bar-Dayan said. “We need to identify the vulnerabilities that matter to our businesses and organizations by assessing and prioritizing associated risk. Then we need to take control and orchestrate the mitigation effort while measuring our ability to drive cyber hygiene and attain acceptable levels of risk.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.