Back to BlogDetecting Log4j Exploits Leading to Ransomware
Threat actors have already begun to exploit the Log4j vulnerability to launch ransomware attacks — and unfortunately, it’s just the tip of the iceberg.
Conti was the first professional ransomware group to weaponize the Log4j vulnerability to launch ransomware attacks, and it certainly won’t be the last.
For opportunistic ransomware groups that operate quickly with purely financial motivations, Log4j is a low-hanging fruit to gain initial access into an environment. To prevent Log4j exploits, you should first evaluate your attack surface and upgrade to Log4j version 2.17.0. Blumira has developed a vulnerability scanner to determine your impact.
We’ve published recommendations on how to remediate the vulnerability. However, the ubiquitous nature of Log4j means that it’s inherently difficult to patch. That’s why detection is your best bet to stay protected against Log4j-related attacks.
What Is Log4Shell?
A zero-day remote code execution (RCE) was discovered in Apache Log4j, a popular Java logging library, which impacts hundreds of enterprise applications. Using this vulnerability, attackers can call external Java libraries via ${jdni:ldap:// and ${jndi:ldaps:// and drop shells to deploy the RCE attack without additional effort.
The Log4j vulnerability, dubbed Log4Shell, provides a relatively easy exploit path for threat actors, whereas it doesn’t require authentication to take full control of web servers. A JNDI exploit kit has been publicly available for at least two years on GitHub, which enables threat actors to exploit Java web apps vulnerable to JNDI (Java Naming and Directory Interface) injection.
For an attacker to leverage the Log4j vulnerability, it’s simply a matter of changing the initial attack vector in that exploit kit.
How To Detect Log4j-Related Ransomware
It’s important to understand how to detect the early-stage patterns and techniques associated with an exploitation, so you can stop a threat actor before they can encrypt files and drop the ransomware payload.
Ransomware groups weaponizing Log4j have used the following techniques:
Malicious .NET Files
Khonsari is the first ransomware strain to use the Log4j vulnerability as an attack vector for Windows systems, and its method involves executing a malicious .NET file that encrypts every drive on a vulnerable system except for the C:\ drive. On the C:\ drive, Khonsari only encrypts documents, videos, pictures, downloads and desktop folders.
To detect this stage in the attack, ensure your security tool, like an endpoint detection and response (EDR) or security incident and event management (SIEM) platform can detect the presence of malicious files. Blumira, for example, can detect when an application drops a new file or script onto a machine.
Cobalt Strike
Microsoft confirmed that it has observed threat actors using Cobalt Strike as they weaponize Log4j. Cobalt Strike is a remote access tool designed for red teaming and penetration testing. However, threat actors often use it for malicious purposes, such as opening up a system’s memory to deliver the ransomware payload.
To protect against Log4j exploits, ensure that your host detection for exploitation of Cobalt Strike, Trickbot, and related common attacker tools are functioning as intended and that you have the needed visibility to do so.
Blumira detects when an attacker is using Cobalt Strike, indicating a user has either been exploited by an outside attacker or an attacker has gained a foothold into your environment.
Kerberoasting
Kerberoasting, an attack method used to gain access to passwords for service accounts, was one of the final steps in Conti’s Log4j attack chain before taking control of VMware vCenter servers, according to Threatpost.
To detect instances of Kerberoasting, you can create a honeytoken that is used solely to act as a canary for attackers.
Blumira has a detection for Kerberoasting that is automatically built into the platform; you can find it on GitHub.
Learn More About Log4Shell
For more information about the Log4Shell vulnerability and how to detect it, watch our on-demand webinar or read our blog post.
To detect the Log4j-related attack methods listed above that commonly lead to ransomware, test out a free trial of Blumira’s detection and response platform.