OODA Loop

Understand tomorrow, today.

Log4Shell Activity:  Non-State Actors (Global)

Archive, Disruptive Technology, OODA Original / by

[For coverage of the press conference by CISA Director Jen Easterly last week and a general summary of U.S.-based Apache Log4j alerts and mitigation efforts, see our previous post:  Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates.  For the most recent incidents and mitigation activities of government agencies worldwide, see our post from last week: Log4Shell Incidents and Mitigation Activities To-date: Governmental Agencies (Global).]

It was announced that CISA has identified threat actors “using the [Log4Shell] vulnerability to install and sell crypto mining software on victims’ computers and to potentially launch future botnet attacks,” Easterly said during the presser last Monday.

“Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on keyboard attacks.  This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) reported in a January 3 update.


OODA Loop Sponsor

Following is an update of Log4Shell activities organized by nation-states – with non-state actors and cybercriminal organizations which are suspected to be state-affiliated or located in the country.

Russian APTs

Conti:  In late December, the sophisticated Russia-based Conti ransomware group became the first group to weaponize Log4j with a full attack chain.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), in a Joint Cybersecurity Advisory (CSA) in September 2021, “observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. (See FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks.) In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.  While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.”

Palo Alto Networks has called Conti “one of the most ruthless” of dozens of ransomware groups currently known to be active.”

THE CISA FBI CSA describes Conti’s usual infiltration techniques:

Conti actors often gain initial access [TA0001] to networks through:

  • Spearphishing campaigns using tailored emails that contain malicious attachments [T1566.001] or malicious links [T1566.002];
    • Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware. [1],[2],[3]
  • Stolen or weak Remote Desktop Protocol (RDP) credentials [T1078].[4]
  • Phone calls;
  • Fake software promoted via search engine optimization;
  • Other malware distribution networks (e.g., ZLoader); and
  • Common vulnerabilities in external assets.”

Threat Post reports that Conti “was in the right place at the right time with the right tools when Log4Shell hit the scene, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost…the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for Center.”

So What: This is absolutely playing out as expected. This is a serious weaponization of a vulnerability that will be in the infrastructure of the Internet for years.

What’s Next: Expect more criminal gangs to follow suit and build weaponized capabilities like this. Also, expect the ecosystem of hackers that collaborate on attacks (via ransomware as a service model) to leverage this vulnerability.

Your Action: Read the latest on the cyber threat and defensive strategies on the OODA Cyber Sensemaking page.   Become an OODA Network member to discuss this topic with peers.

Chinese APTs

APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools – Crowdstrike recently released a detailed report of this incident:  AQUATIC PANDA in Possession of Log4Shell Exploit Tools.   From the report:  “AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology, and government sectors.”  During the attack, CrowdStrike observed the group attempting to use Log4Shell exploit tools on a vulnerable VMware installation.  The suspicious activity was uncovered by CrowdStrike, which led them to search for unusual processes associated with the VMware Horizon Tomcat web server.”

HAFNIUM, “a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedure,” has been “observed utilizing Log4Shell to attack virtualization infrastructure to extend their typical targeting,” reported the Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC), “In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.”

NIGHTSKY is either a new China-based ransomware operation or a legacy of Rook ransomware.  MSTIC sees NIGHTSKY as legacy, not new:  “As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.  These attacks are performed by a China-based ransomware operator that we’re tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).”   BleepingComputer notes that NightSky is using “double extortion”, where the attacker not only encrypts a target’s data but steals it and threatens to leak it if a ransom is not paid. One victim received an $800,000 ransom demand for a NightSky decryptor.”

Iranian APTs

MSTIC has observed PHOSPHORUS, “an Iranian actor known to deploy ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.”  Since this initial MSTIC report,  it has been confirmed that the Log4Shell exploit was used in a Cox Media Group ransomware attack attributed to Phosphorus.

NOTE:  This Phosphorus update and the Hafnium update above are part of a 1/10/22 update from MSTIC which is really thorough and up to date on all things Log4j:  Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability.

Anatomy of a Log4Shell Exploit:  ONUS (Vietnamese crypto trading platform)

An attack on the Vietnamese crypto trading platform ONUS has not been attributed.   According to bleeping computer:

“Among the first threat actors to leverage Log4Shell to drop payloads are cryptocurrency mining groups and botnets, who started to attack immediately after the proof-of-concept exploit code became available. One of the largest, ONUS, recently suffered a cyber attack on its payment system running a vulnerable Log4j version. Soon enough, threat actors approached ONUS to extort a $5 million sum and threatened to publish customer data should ONUS refuse to comply.  After the company’s refusal to pay the ransom, threat actors put up data of nearly 2 million ONUS customers for sale on forums.   The hacker took advantage of a vulnerability in a set of libraries on the ONUS system to get into the sandbox server (for programming purposes only),” explains ONUS.  However, due to a configuration problem, this server contains information that gave bad guys access to our data storage system (Amazon S3) and stole some essential data. This leads to the risk of leaking the personal information of a large number of users.”

Enterprise IT cybersecurity professionals are encouraged to think really broadly about the points of entry for this exploit.  Vendor configuration matters and is a good place to start, as misconfigured Amazon S3 buckets were the access point for this ONUS hack:

“Interestingly, the Log4Shell vulnerability existed on a sandbox server used “for programming purposes only” but allowed attackers further access into sensitive data storage locations (Amazon S3 buckets) with production data, due to a system misconfiguration.  The hack itself is a little more than just a Log4j problem alone. Log4j exploit may have been the entry point for attackers, but improper access control on ONUS’ Amazon S3 buckets allowed attackers undue access.” (1)

Further Resources

Log4Shell Incidents and Mitigation Activities To-date: Governmental Agencies (Global)

Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates

OODA Loop – 2021 Year-End Review: Cybersecurity

Log4Shell Exploit Used in Cox Media Group Ransomware Attack Attributed to Iranian Hackers

CISA Apache Log4j Vulnerability Guidance Webpage Up and Running with Mitigation Guidance from JCDC Partners

Beware Burnout for Defenders:  Log4j flaw: 10 questions you need to be asking | ZDNet

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

About Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.