Skip to content

Microsoft confirms new ransomware family deployed via Log4j vulnerability

Microsoft confirms new ransomware family deployed via Log4j vulnerability

Listen to from CIOs, CTOs, and other C-amount and senior execs on info and AI techniques at the Long term of Do the job Summit this January 12, 2022. Discover extra

Microsoft has become the second safety vendor to report it has noticed a new family of ransomware, acknowledged as Khonsari—which the corporation claimed has been applied in assaults on non-Microsoft hosted Minecraft servers by exploiting the vulnerability in Apache Log4j.

In a Wednesday night update to its blog submit about the Log4j vulnerability, Microsoft said it can affirm the results of cyber organization Bitdefender, which before this week disclosed the existence of the new Khonsari ransomware family members. Bitdefender explained it had detected several makes an attempt to deploy a Khonsari ransomware payload, which targets Windows programs by having gain of a flaw in the Log4j logging library.

The vulnerability, identified as Log4Shell, was publicly disclosed last Thursday and is regarded highly hazardous, as the flaw is equally common and regarded as trivial to exploit.

Assaults on Minecraft servers

In its blog site update Wednesday, Microsoft said that it has seen ransomware assaults on Minecraft servers that are not hosted by the enterprise that require the Khonsari ransomware relatives.

“Microsoft can validate public studies of the Khonsari ransomware relatives being delivered as payload article-exploitation, as talked over by Bitdefender,” the corporation claimed in the weblog write-up update.

“In Microsoft Defender Antivirus data we have observed a tiny selection of conditions of this [ransomware] staying launched from compromised Minecraft customers connected to modified Minecraft servers operating a susceptible model of Log4j 2 through the use of a third-bash Minecraft mods loader,” Microsoft claimed in the publish.

In all those cases, the danger actor has sent a destructive information in-sport to a susceptible Minecraft server, and the message then exploits Log4Shell in get to execute a payload each on the server and on any vulnerable customers that are linked, the business said.

“We noticed exploitation top to a destructive Java course file that is the Khonsari ransomware, which is then executed in the context of javaw.exe to ransom the system,” Microsoft claimed.

Hazard of compromise

The vulnerability in Log4j was initially found out in the Java version of Minecraft, in accordance to reviews. The massively well-liked recreation is owned by Microsoft. A write-up on the Minecraft site on Friday had educated end users of the Log4j vulnerability and urged Java edition buyers to update to the patched edition, indicating that “this vulnerability poses a likely chance of your computer system currently being compromised.”

The new disclosure by Microsoft right now follows the company’s report on Tuesday that it has observed various cybercriminal groups seek to build community obtain by exploiting Log4Shell, with the goal of later selling that access to ransomware operators. The arrival of these “access brokers,” who’ve been connected to ransomware-as-a-support affiliates, indicates that an “increase in human-operated ransomware” might observe versus the two Home windows and Linux devices, the organization reported.

Furthermore, Microsoft claimed in the preceding update that it has noticed exercise from country-state teams around the Log4j vulnerability, such as functions by an Iranian group that has earlier deployed ransomware.

‘Not widespread’

Earlier this 7 days, Bitdefender noted that it has witnessed numerous tries to deploy the new Khonsari ransomware, named immediately after the extension discovered in the payload’s encrypted information. Nevertheless, “Khonsari is not prevalent at this level,” mentioned Martin Zugec, complex solutions director at Bitdefender, in an e-mail to VentureBeat on Tuesday.

Scientists have also advised VentureBeat that they’ve observed attackers most likely laying the groundwork for launching ransomware in a vary of techniques, these as deploying privilege escalation applications and bringing destructive Cobalt Strike servers on-line, in new times. Cobalt Strike is a preferred tool for enabling distant reconnaissance and lateral movement in ransomware assaults.

On Saturday, Microsoft experienced described looking at the set up of Cobalt Strike by the exploitation of the Log4j vulnerability.

All in all, scientists have mentioned they do assume a lot more ransomware attacks to end result from the vulnerability in Log4j. A lot of programs and solutions created in Java are potentially susceptible to Log4Shell, which can enable distant execution of code by unauthenticated users. Researchers at cybersecurity huge Test Position stated they’ve observed attempted exploits of the Log4j vulnerability on far more than 44% of corporate networks throughout the world.


In the web site publish update Tuesday, Microsoft’s danger research groups explained that they “have confirmed that various tracked action groups acting as entry brokers have begun utilizing the vulnerability to gain original obtain to focus on networks.”

“These obtain brokers then market obtain to these networks to ransomware-as-a-provider affiliates,” the Microsoft scientists explained in the put up.

Ransomware-as-a-support operators lease out ransomware variants to other attackers, saving them the energy of making their own variants.

At the time of this writing, there has been no community disclosure of a productive ransomware breach that exploited the vulnerability in Log4j.

Ransomware has previously been hitting a escalating range of companies. A latest survey from CrowdStrike located that 66% of companies had skilled a ransomware assault in the previous 12 months, up from 56% in 2020.

In the meantime, in the article update on Wednesday, Microsoft mentioned that “while it is uncommon for Minecraft to be set up in enterprise networks, we have also observed PowerShell-primarily based reverse shells getting dropped to Minecraft customer devices by using the very same destructive information strategy, supplying an actor total access to a compromised system, which they then use to operate Mimikatz to steal credentials.”

“These approaches are commonly associated with business compromises with the intent of lateral movement,” the corporation reported. “Microsoft has not noticed any abide by-on exercise from this campaign at this time, indicating that the attacker may perhaps be collecting obtain for later on use.”


VentureBeat’s mission is to be a electronic town sq. for technical choice-makers to obtain information about transformative technologies and transact.

Our website provides critical data on info technologies and methods to guideline you as you direct your businesses. We invite you to turn out to be a member of our local community, to accessibility:

  • up-to-day data on the topics of desire to you
  • our newsletters
  • gated imagined-chief material and discounted entry to our prized functions, these as Transform 2021: Discover Much more
  • networking capabilities, and more

Turn into a member

Source url