Second Ransomware Family Exploiting Log4j Spotted In US, Europe

Researchers say a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the U.S. and Europe. VentureBeat reports: A number of researchers, including at cybersecurity giant Sophos, have now said they've observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family -- which has been revived following the discovery of the vulnerability in the widely used Log4j logging software. TellYouThePass is the second family of ransomware that's been observed to exploit the vulnerability in Log4j, known as Log4Shell, joining the Khonsari ransomware, according to researchers.

While previous reports indicated that TellYouThePass was mainly being directed against targets in China, researchers at Sophos told VentureBeat that they've observed the attempted delivery of TellYouThePass ransomware both inside and outside of China -- including in the U.S. and Europe. "Systems in China were targeted, as well as some hosted in Amazon and Google cloud services in the U.S. and at several sites in Europe," said Sean Gallagher, a senior threat researcher at Sophos Labs, in an email to VentureBeat on Tuesday. Sophos detected attempts to deliver TellYouThePass payloads by utilizing the Log4j vulnerability on December 17 and December 18, Gallagher said. TellYouThePass has versions that run on either Linux or Windows, "and has a history of exploiting high-profile vulnerabilities like EternalBlue," said Andrew Brandt, a threat researcher at Sophos, in an email. The Linux version is capable of stealing Secure Socket Shell (SSH) keys and can perform lateral movement, Brandt said. Sophos initially disclosed its detection of TellYouThePass ransomware in a December 20 blog post.

The first report of TellYouThePass ransomware exploiting the Log4j vulnerability appears to have come from the head of Chinese cybersecurity group KnownSec 404 Team on December 12. The attempted deployment of TellYouThePass in conjunction with Log4Shell was subsequently confirmed by additional researchers, according to researcher community Curated Intelligence. In a blog post Tuesday, Curated Intelligence said its members can now confirm that TellYouThePass has been seen exploiting the vulnerability "in the wild to target both Windows and Linux systems." TellYouThePass had most recently been observed in July 2020, Curated Intelligence said. It joins Khonsari, a new family of ransomware identified in connection with exploits of the Log4j vulnerability.

"to target both Windows and Linux systems"

[ls671]

Why would it be limited to Windows and Linux systems?

Re:"to target both Windows and Linux systems"

[Dutch Gun]

This is a server-side exploit, right? That probably covers 99% of the market. macOS doesn't have a market in server space, and other *nixes are a rounding error.

"Write once, run anywhere" doesn't typically apply to malware that's trying to break out of a safety sandbox. You often need OS-specific techniques at that point.

Re:

[gweihir]

No reason why this needs to be server-side.

Re:

[The Evil Atheist]

Why do you need OS-specific techniques? They would only need application specific techniques. All they need to do is to go after data.

Re:

[gweihir]

Why would it be limited to Windows and Linux systems?

It is not. But that is apparently all the reporter could imagine.

Re:

[atol]

To add note: Exploits are discovered months or even years after they have been used.

Re:

[Petersko]

Why are you asking the government about how Oracle built their product? Seems to me they're right. Ask Oracle.
The NCSC or the CISA do not seem to be in the business of playing middleman between people and vendors.

Re:

[atol]

So Cyber Security Officials don't react on threats and do inquirers on formal matter about them to corporations? What is their budget for then? Wanking?

Memory

[The Evil Atheist]

Hey, but at least it's not a memory error, right? VMs chewing up gigabytes of memory because some programmers are scared of a language they had a horrible time learning at university is so much better. Who needs backdoors when you can show the whole world how to enter in through the front door?

Get your backups, Backups for sale, DR plans

[Canberra1]

Laws need to be make, to allow insurance companies NOT to pay where the client has no viable backup and recovery strategy. Many enfeebled corporates did not 12 months ago, and still have none. I fondly remember the Ghostbusters van - perhaps we can get one outside the corporate HQ of impacted operations, to drive home the message 'we are idiots'

Re:

[gweihir]

These laws are actually in place. This type of IT operations is called "gross negligence". Insurers are just reluctant to go for it since they would lose so many of their customers.

Re:

[Canberra1]

What laws - don't answer if they are never practically enforced at the corporate level, never burning a hole in CEO renumeration, package or options. I have trouble recalling where a CEO ever felt sorry. The situation now - is that anything goes - or is that ENRON's old motto. Or the Deepwater oil spill plans. I worked in ICT for 35 years. In all that time, there was a gag order not to speak to any auditors. While the auditors were careful not to voice their concerns too loudly, lest the big accounting fir

Re:

[gweihir]

What laws

Read up on the definition of "gross negligence". Also, this is civil law, not criminal law, so no "punishment" involved, you have that completely wrong. But an insurer can successfully refuse to pay if the one that suffered damage basically "asked for it". Your insurance only is valid if you exercised due care and that is part of the contract you have with your insurance and of the laws governing insurances.