A whole new ransomware strain is exploiting Log4j

TellYouThePass has awoken from its yearlong slumber

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

TheLog4jvulnerability is so potent that it appears to have brought many of the retired and inactive malicious actors out of the woodwork.

Multiple cybersecurity researchers, including those from Sophos and Curated Intelligence, are now saying that they’ve spotted an attempted distribution of TellYouThePass, an oldransomwarestrain that was deemed inactive, through the Log4Shell vulnerability.

According to the researchers, the ransomware, last seen in July 2020, is being used against targets in China, the U.S., and Europe, includingAmazonandGooglecloud services. The malicious actors are targeting both Windows and Linux devices, with the version for the latter being able to steal Secure Socket Shell (SSH) keys and perform lateral movement.

Threat incoming?

Abusing Log4j to distribute ransomware is not that widespread just yet, the researchers are saying, noting they are yet to observe any activity from ransomware deployed this way.

However, that doesn’t mean ransomware operators aren’t moving in that direction. It could mean that they’re still in the reconnaissance phase, moving through compromised networks, mapping outendpointsand identifying key data.

Speaking toVentureBeat, Cisco Talos threat researcher Chris Neal says preventingmalware detectionis crucial for malicious actors at this point: “After initial access, these attackers will commonly choose to gain persistence, and then minimize their footprint to prevent detection and perform reconnaissance,” Neal said. “This type of behavior may account for the lack of ransomware campaigns utilizing this exploit being observed.”

Moving away from cryptomining

For the moment, cryptomining seems to be the most popular way to abuse the log4j flaw, but with ransomware offering a much higher - and faster - ROI, researchers are expecting threat actors to pivot quickly.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Some of these small things, like a crypto miner, can end up just being that first stage of attack,” Roger Koehler, vice president of threat ops at Huntress, told VentureBeat. “Because they can go and sell that access on the black market. And somebody bigger and badder may buy that and do something more detrimental, like a ransomware attack.”

Ultimately, “those crypto miners can seem small, but that can escalate to something bigger.”

Via:VentureBeat

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call