Information Technology

The US Department of Homeland Security is launching its own bug bounty program to help find and correct gaps in its systems. 

more coverage

The new “Hack DHS” program was made official by Homeland Security Secretary Alejandro Mayorkas in a press release on the agency’s website after it was revealed at the recent Bloomberg Technology Summit and covered by The Record. The program promises to pay out between $500 and $5,000 to “vetted cybersecurity researchers who have been invited to access select external DISH systems.” The actual payout will be based on the severity of the specific vulnerability discovered.As noted by DHS, this new bounty program builds on similar private-sector efforts and “Hack the Pentagon,” a first-of-its-kind program launched in 2016 that was ultimately responsible for identifying over 100 vulnerabilities across various Defense Department assets. The DHS itself created a similar pilot program in 2019 on the back of a bipartisan bill. It followed related efforts from the Department of Defense, Air Force, and Army. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors,” Mayorkas noted. The effort will include three phases that will run throughout FY 2022. In the first phase, hackers will be called on to conduct “virtual assessment” on select DHS systems. This will be followed by a “live, in-person hacking event” during phase two, and an identification and review process during the third and final phase. The DHS noted that it will use the data collected during this process to both plan for future bug bounties, and to develop “a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience.” Like previous government programs of a similar nature, this one will be governed by rules orchestrated by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), with all participants required to fully disclose any information that could be useful in mitigating and correcting the vulnerabilities they discover. 

The hope for programs like this one is to privately discover and patch holes without relying on external security researchers or random discoverers to do the scrupulous thing and inform the vendor/agency before releasing a vulnerability into the wild. This effort appears particularly timely in a world where governments, businesses, and just about everyone that owns a computer continue to deal with the fallout from the very public disclosure and rapid exploitation of the Log4j vulnerability.  More

Ransomware is now a primary threat for businesses, and with the past year or so considered the “golden era” for operators, cybersecurity experts believe this criminal enterprise will reach new heights in the future. 

more coverage

Kronos. Colonial Pipeline. JBS. Kaseya. These are only a handful of 2021’s high-profile victims of threat groups including DarkSide, REvil, and BlackMatter. According to Kela’s analysis of dark web forum activity, the “perfect” prospective ransomware victim in the US will have a minimum annual revenue of $100 million and preferred access purchases include domain admin rights, as well as entry into Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.  Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains.  Ransomware infection is no longer an end goal of a cyberattack. Instead, malware families in this arena — including WannaCry, NotPetya, Ryuk, Cerber, and Cryptolocker — can be one component of attacks designed to elicit a blackmail payment from a victim organization.  Cisco Secure calls current ransomware tactics “double-extortion.” Victims will have their systems encrypted in one facet of an attack, and a ransom note will demand payment, normally in Bitcoin (BTC). However, to pile on the pressure, ransomware groups may also steal corporate data before decryption and will threaten to publish or sell on this information, too, unless a payment is agreed upon and made.   The European Union Agency for Cybersecurity (ENISA) said there was a 150% rise in ransomware attacks between April 2020 and July 2021. According to the agency, we are experiencing the “golden era of ransomware,” in part due to multiple monetization options. 

This is particularly notable in “Big Game hunting” when ransomware operators will specialize in going after large and profitable companies.  With this in mind, what can we expect from ransomware operators in 2022? Ransomware-as-a-Service will continue to climbRansomware-as-a-Service (RaaS) is an established industry within the ransomware business, in which operators will lease out or offer subscriptions to their malware creations to others for a price — whether this is a per month deal or a cut of any successful extortion payments.  Considering the lucrative nature of RaaS and the difficulty of tracking down and prosecuting operators, it should come as no surprise that many security experts believe this business model will continue to flourish in 2022.  “We’re going to see a continued increase in the severity and volume of ransomware attacks,” commented Andy Fernandez, senior product marketing manager at HPE company Zerto. “In response, we will see a growth in the ransomware-as-a-service market, which is able to propagate new versions and new methods in a much faster way than before. Whether you are a small business or large enterprise, at some point, you will be targeted by a ransomware attack that will try to get into your system and encrypt your critical data.” Increased attack risk 

ZDNet Recommends

An emerging trend documented by CrowdStrike is multiple attacks leveraged against organizations once they have been successfully compromised. Data exfiltration and extortion go hand-in-hand, and according to CTO Mike Sentonas, in addition to the threat of sensitive data becoming public, “some criminals have been known to sell files to each other or even to a competitor in a foreign market.”  “This means that even if a company has paid one criminal gang, another could emerge from the shadows and demand precisely the same thing,” Sentonas says.   Other experts, including those from Picus Security, suggest that we may see more extortion methods become commonly employed – such as launching Distributed Denial-of-Service (DDoS) attacks or the harassment of customers and partners.  Pay to stay away?Another potential method of extortion we may see next year is that of companies paying operators not to attack them. Joseph Carson, Chief Security Scientist at ThycoticCentrify, suggests that while RaaS is already in full swing, “ransomware could even evolve further into a subscription model in which you pay the criminal gangs to not target you.”See also: The Great ResignationThe COVID-19 pandemic has, perhaps permanently, changed the face of work. Many of us were forced to work from home and have now adopted home office setups — and in many cases — have decided to resign from existing posts to pursue other opportunities.  Thales believes that in 2022, what is known as The Great Resignation will also have ramifications for cybersecurity, predicting a “direct correlation between staff turnover and cyber incidents.” Also: Hybrid work here to stay: What does that mean for security?According to the firm, organizations that have already lost staff will have to train new employees unfamiliar with existing protocols and may not have adequate levels of security awareness.  Business ecosystems contain many different processes, partners, and software, which may increase the risk of a business becoming compromised, and ransomware may be one of the top threats companies face today.  “There is also the issue of fatigued or disgruntled workers,” Thales says. “Even if they are not malicious, they may be increasingly lax in following employee guidelines. In 2022, the cost to replace an employee needs to go beyond recruitment and training costs. And after the rush to fill seats, organizations need to double down on training and onboarding.” Also: Everyone is burned out. That’s becoming a security nightmareGoing quantum?BlackBerry CISO John McClurg predicts that emerging technologies may also have an impact on how ransomware is used in 2022 and beyond.  Quantum computing, the concept of using quantum physics to enhance a computer’s ability to perform calculations, could be one of these areas. While outside of the realm of most attackers, McClurg says that leaps forward in quantum computing could also be leveraged to develop new attack vectors.  Also: Hackers could steal encrypted data now and crack it with quantum computers later, warn analysts”One of the more controversial uses of quantum computing is its potential to break public-key cryptography,” the executive explained. “In just a few short years, security information stored by national and international intelligence will be easily decrypted through a powerful quantum computer. This will leave highly sensitive data vulnerable to threat actors, causing an enormous potential for widespread security breaches.” Also: Spy chief’s warning: Our foes are now ‘pouring money’ into quantum computing and AIImplications for cyber insurance

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The explosion in high-profile ransomware attacks is also potentially going to cause massive shifts in cyber insurance, premiums, and whether or not ransomware incidents will be covered at all.  Also: What is cyber insurance? What it covers and how it worksWith blackmail payouts now reaching millions of dollars, insurers are likely to re-examine if coverage can be offered — and if so, will impose strict requirements in what cases a policy will payout. This may include bans on paying a ransom entirely, forcing applicants to adhere to industry-accepted security standards, agreeing to consist employee training, and more.  Ritesh Singhai, Senior Director, EMEA Solutions at Secureworks, told ZDNet that there will be a “watershed” moment for cyber insurance providers in the future, and coverage for some threats — including ransomware — will become “prohibitively expensive.”Also: Cyber insurance might be making the ransomware crisis worse, say researchers”None of this will fundamentally change the threat that organizations face, although the challenges around recouping a loss may change the risk calculation, increasing the value of effective preparation and incident response plans,” Singhai added. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

State-sponsored hackers from China, Iran, North Korea and Turkey have started testing, exploiting and using the Log4j bug to deploy malware, including ransomware, according to Microsoft.    As predicted by officials at the US Cybersecurity and Infrastructure Security Agency (CISA), more sophisticated attackers have now started exploiting the so-called Log4Shell bug (CVE-2021-44228), which affects devices and applications running vulnerable versions of the Log4j Java library. It’s a potent flaw that allows remote attackers to take over a device after compromise. CISA officials on Tuesday warned that hundreds of millions of enterprise and consumer devices are at risk until the bug is patched.  LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW The bulk of attacks that Microsoft has observed so far have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.  “The vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” Microsoft said. Its ease of exploitation and wide distribution in products makes it an attractive target for sophisticated criminal and state-sponsored attackers.  It is this latter group that has now started exploiting the flaw. 

“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” Microsoft said. Microsoft has turned the spotlight on the Iranian hacking group it tracks as Phosphorous, which recently ramped up their use of file-encryption tools to deploy ransomware on targets. The group has acquired and modified the Log4j exploit for use, according to the Microsoft Threat Intelligence Center (MSTIC). “We assess that Phosphorus has operationalized these modifications,” the MSTIC notes.  Hafnium, a Beijing-backed hacking group behind this year’s Exchange Server flaws, has also been using Log4Shell to “target virtualization infrastructure to extend their typical targeting.” Microsoft saw the systems used by Hafnium employing a Domain Name Server (DNS) service to fingerprint systems.  The Log4Shell bug was disclosed by the Apache Software Foundation on December 9. CERT New Zealand reported the bug was actively being exploited. Apache released a patch last week. However, vendors including Cisco, IBM, Oracle, VMware and others still need to integrate the patch into their own affected products before customers can deploy them.    MSTIC and the Microsoft 365 Defender team also confirmed that “access brokers” – gangs who sell or rent access to compromised machines – have been using the Log4j flaw to gain a foothold in target networks on both Linux and Windows systems. This sort of access is frequently sold on to ransomware gangs looking for victims; security firm BitDefender reported that a new ransomware strain called Khonsari is already attempting to exploit the Log4j bug.  CISA yesterday published its list in GitHub of products affected by the Log4Shell flaw, following a similar list by the Netherlands cybersecurity agency (NCSC) published earlier this week. CISA lists the vendor, product, versions, status of vulnerability, and whether an update is available. LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE The US list will be a handy tool for organizations as they patch affected devices, in particular US federal agencies that were ordered by CISA, a unit of the Department of Homeland Security, yesterday to test which internal applications and servers are vulnerable to the bug by December 24.  Cisco customers will be busy over the next few weeks as it rolls out patches. Just looking at, for example, Cisco’s list of affected products highlights the work ahead for agency teams that must enumerate affected systems ahead of the Christmas break. CISA’s list also includes an extensive array of affected VMware virtualization software tools, most of which don’t have a patch available yet.   Dozens of Cisco software and network products are affected. Cisco released a patch for Webex Meetings Server yesterday. The Cisco CX Cloud Agent Software also got a patch.  Other affected Cisco products without a patch include Cisco’s AMP Virtual Private Cloud Appliance, its Advanced Web Security Reporting Application, Firepower Threat Defense (FTD), and Cisco Identity Services Engine (ISE). Several network infrastructure management and provision products are also vulnerable, with patches scheduled for December 21 and onwards.  More

Singapore has finalised negotiations with South Korea on a digital economy agreement that will see both nations collaborate across several areas, including cross-border online payments, data flows, cryptography, and artificial intelligence (AI). The partnership is touted to establish “forward-looking” digital trade rules and drive interoperability between digital systems.South Korea also will be the first Asian market to sign on for Singapore’s Digital Economy Agreement, the latter’s fourth following similar pacts with the UK, announced last week, as well as Australia and Chile and New Zealand.Under the digital agreement, data localisation would not be permitted unless necessary for specific purposes, such as regulatory access, the two partners said Wednesday in a joint statement. This would facilitate secured data transfers between organisation in both nations and enable them to decide where they want to store and process their data, according to their business requirements. 

The digital economy pact also would deepen bilateral collaboration in emerging segments such as personal data protection, online payments, and source code security. In addition, both countries would explore potential cross-border opportunities in AI innovation and see South Korea supporting Singapore’s efforts in developing multilateral rules in e-commerce. The latter currently is co-convenor of the World Trade Organization Joint Statement Initiative on E-commerce.Specifically, the Singapore-South Korea digital economy agreement would cover 11 modules under three broad areas spanning digital trade, trusted data flows, and trusted digital systems and participation. Bilateral efforts, for instance, would look to develop secured cross-border digital payments with “transparent and facilitative rules”, such as open application programming interfaces (APIs) and the adoption of internationally accepted standards. To facilitate the exchange of key commercial documents, both countries would recognise electronic versions of trade administration documents and collaborate on initiatives to drive the adoption of data exchange systems. Businesses operating in the two markets also would be permitted to transfer information cross-border, including data generated or held by financial institutions, if all parties complied with requisite regulations and deployed adequate personal data protection. In the area of AI, Singapore and South Korea would encourage the adoption of governance and ethics frameworks that supported trusted and responsible use of AI-powered technologies. They also would ensure local organisations that used cryptography could do so with “trust” that private keys and related technologies deployed in both market environments were protected. For one, neither country would require the transfer or access to such tools as a condition of market access.

This rule would be extended to source code protection, in which neither nation would require the transfer or access to software codes as a condition of market access. This included algorithms. The growth of small and midsize businesses (SMBs) in both countries would be cultivated through platforms that help these organisations connect to international suppliers, buyers, and other potential partners. Similar to the UK  agreement, Singapore’s pact with South Korea included collaboration in digital identities. Both Asian markets would drive interoperability between their respective digital identity regimes, with the goal to deliver more reliable identity verification and faster application processing. Such initiatives aimed to cut cross-border trade barriers and enable both enterprises and consumers to more easily and securely navigate their digital economies. Singapore’s Second Minister for Trade and Industry Tan See Leng said: “[The agreement] will strengthen the digital connectivity between Singapore and the Republic of Korea, and add to our already robust economic ties. By aligning standards, enabling trusted data flows and allowing cross-border digital transactions to take place more seamlessly, the Korea-Singapore Digital Partnership Agreement will open up opportunities for our businesses and people in the rapidly growing digital economy.”Seoul was Singapore’s eighth largest trade partner last year, with bilateral trade clocking at SG$44.6 billion ($32.58 billion), while Singapore was South Korea’s ninth largest investor in Asia in 2019, pushing SG$8.37 billion ($6.11 billion) worth of investments. RELATED COVERAGE More

Australia will create a new panel consisting of Australian youths and young adults that will provide consultation to industry and government about how to approach regulating online platforms.”Young people know better than anyone about the good, the bad and the plain ugly that exists in the online world,” Prime Minister Scott Morrison said. “They are the first generation of Australians to grow up living simultaneously in both the real and digital worlds, and they are always at the forefront of new technologies. “This is something that so many parents, and indeed decision makers, don’t always understand, because we haven’t lived this experience like they have. This is why there is no one better placed to tell us what needs to change and how, than this generation of young Australians.The Online Safety Youth Advisory Council will comprise of up to 20 young Australians, aged between 13 and 24, who will be drawn from a “wide range of backgrounds” to provide feedback to government on the challenges and solutions to online safety issues impacting young people. The council will be coordinated by eSafety Commissioner Julie Inman Grant, who will commence the selection process for council members in January.  The members will participate in a range of forums examining online safety issues such as bullying and harassment, mental health, privacy, the impact of algorithms and unwanted contact from strangers, and will report to government with recommendations for further action that can be taken by industry, government, and regulators like eSafety.Inman Grant said the decision behind creating the council was to allow Australian youth to have a voice in shaping the online world through a deep formalised engagement.

“One thing we found when we engaged young people was that they think about technology in different ways, they use technology in different ways that we do, and they also expect different things from the technology behemoths in terms of the protections that they want to see and what is intuitive to them so we cannot be making policy and creating resources without their authentic voices and without their engagement,” Inman Grant said.Inman Grant explained that the council would accept members aged as young as 13 as that is the minimum user age of major social media platforms. She added that a voice for Australian youth was needed as her agency has seen children as young as eight experience cyberbullying and fall prey to self-produced child sexual abuse material. “Kids are online earlier or earlier than they should so I think 13 is a totally appropriate age for them to start,” the eSafety commissioner said. Inman Grant’s comments follow her agency last week telling a parliamentary joint committee that social media platforms moving towards encrypted communications could create a dynamic where they effectively become “digital hiding places” for child abuse material. The agency also shared its worry that platforms may claim they are absolved of responsibility for safety because they cannot act on what they cannot see.  The testimony was made to the Parliamentary Joint Committee on Law Enforcement, which disclosed last week it was contemplating whether social media platforms should be regulated as carriage service providers to address the problem of online child exploitation.The Online Safety Youth Advisory Council will aim to start conducting meetings around mid-2022, but Inman Grant noted that the outcomes set out for the council will not have a definitive timeline. RELATED COVERAGE More

The Oregon Anesthesiology Group (OAG) said it suffered a ransomware attack in July that led to the breach of sensitive employee and patient information.The breach involves the information of 750,000 patients and 522 current and former OAG employees. In a statement, the company said it was contacted by the FBI on October 21. The FBI explained that it seized an account that contained OAG patient and employee files from HelloKitty, a Ukrainian ransomware group. The FBI said it believes the group exploited a vulnerability in OAG’s third-party firewall, enabling the hackers to gain entry to the network. “Patient information potentially involved in this incident included names, addresses, date(s) of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names, and insurance ID numbers,” OAG explained. “The cybercriminals also potentially accessed current and former OAG employee data, including names, addresses, Social Security numbers and other details from W-2 forms on file.”The July 11 attack locked OAG out of its servers and forced them to restore their systems from off-site backups and rebuild their IT infrastructure from the ground up. Outside cybersecurity experts were hired to help with the investigation into the attack. 

“According to the cyber forensics report obtained by OAG in late November, the cybercriminals, once inside, were able to data-mine the administrator’s credentials and access OAG’s encrypted data,” OAG said.The company has since replaced its third-party firewall and expanded the use of multifactor authentication. Victims of the incident are being provided with 12 months of Experian identity protection services and credit monitoring. OAG added that victims should be on the lookout for scams and urged them to enroll in Experian’s IdentityWorks program, which comes with up to $1 million in identity theft insurance.Those whose social security numbers were leaked are urged to create a a mySocial Security account with the Social Security Administration, which will allow them to claim their SSN, according to OAG. ZDNet previously reported that the HelloKitty ransomware has been active since at least 2020 and mostly targets Windows systems, with some variants being used against Linux systems. There have been a number of HelloKitty spinoffs, including a new unnamed ransomware variant and Vice Society.The FBI sent out a warning about the group in October, noting that the group was becoming known for aggressively pressuring its victims with the double extortion technique. “In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website,” the FBI said. “Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site (payload.bin) or sell it to a third-party data broker.”The FBI added that the group typically uses compromised credentials or known vulnerabilities in SonicWall products and once inside the network, they will use publicly available penetration tool suites such as Cobalt Strike, Mandiant’s Commando, or PowerShell Empire preloaded with publicly available tools like Bloodhound and Mimikatz to map the network and escalate privileges before exfiltration and encryption.  In February, the group was implicated in a headline-grabbing ransomware attack on Polish game developer CD Projekt Red, the maker of popular games like Cyberpunk 2077 and The Witcher series. More

The US Cybersecurity and Infrastructure Security Agency has ordered all civilian federal agencies to patch the Log4j vulnerability and three others by December 24, adding it to the organization’s Known Exploited Vulnerabilities Catalog. CISA created a landing page for all Log4j vulnerability content and is providing insight alongside the Joint Cyber Defense Collaborative that includes multiple cybersecurity companies. CISA added the Log4j vulnerability alongside 12 others, with four having remediation due dates of December 24 and the rest having June 10, 2022 as the date. The ones slated for remediation by Christmas include the Zoho Corp. Desktop Central Authentication Bypass vulnerability, Fortinet FortiOS Arbitrary File Download vulnerability and Realtek Jungle SDK Remote Code Execution vulnerability. CISA Director Jen Easterly said in a statement on Saturday that the log4j vulnerability “is being widely exploited by a growing set of threat actors” and “presents an urgent challenge to network defenders given its broad use.”Bugcrowd CTO Casey Ellis commended the remediation deadlines but said it would be “nearly impossible for most organizations.””They need to find log4j before they can patch it, and many are still stuck on that step. If log4j is found, it’s likely that it is deeply embedded in existing applications and will required regression testing to ensure that a patch doesn’t break anything else,” Ellis said. “In short, the time pressure is a good thing for activating those who aren’t taking this seriously, but this will be a difficult timeframe for many to meet.”CISA created the list last month as a way to provide government organizations with a catalog of vulnerabilities organized by severity. Each is given a remediation due date and other guidelines for management. 

There is increasing worry that industrial networks — many of which are considered critical infrastructure by US officials — are among those which are most vulnerable to the recently disclosed zero-day. Dennis Hackney, head of industrial cybersecurity services development at ABS Group, said the Log4j API primarily affects the debugging and logging capabilities within very common historian and logging applications in the OT environment. What a lot of companies don’t realize, Hackney said, is that supervisory control and data acquisition (SCADA) and HMI applications typically include open-source technologies like Java and Apache as found in the Log4j 2.0 vulnerability, to provide the most cost-effective and operational functionality as possible. Hackney added that the potential OEMs that may be issuing security alerts shortly with approved fixes includes Siemens T3000, GE CIMPLICY Historian, GE LogManager, OSISoft Pi Logger, Inductive, Mango Automation, Mango Automation and others. “The Log4j API is used in very common SCADA systems and historians in the industry. Think GE Cimplicity, OSI Pi, Emerson Progea, and SIMATIC WinCC. We actually witnessed one example where the engineer was unable to start the runtime environment for his IO servers. These are the servers that control the object linking and embedding for process control (OPC) communications between the HMIs (SCADA) and the controllers, or other SCADA and between controllers,” Hackney said.   More

Security researchers have found evidence that state-sponsored groups as well as the group behind the Khonsari ransomware family are all exploiting the Log4j vulnerability. In a report on Monday, Bitdefender’s Martin Zugec wrote that he saw attacks on Sunday against systems running the Windows operating system. These attacks were attempting to deploy Khonsari.Zugec told ZDNet that Khonsari is relatively new ransomware and is considered basic — compared to the sophistication of professional ransomware-as-a-service groups. 

more coverage

“Most likely, it is a threat actor experimenting with this new attack vector. However, that doesn’t mean that more advanced actors are not looking at exploiting the Log4j vulnerability; they most assuredly are,” Zugec explained. “Instead of looking for the shortest route to monetization, they will use this window of opportunity to gain access to the networks and start preparing for a full-scale larger attack.””If you haven’t patched already, you may already have uninvited, dormant guests in your network,” Zugec added.Cado Security released its own report on the ransomware, noting that Khonsari “weighs in at only 12 KB and contains only the most basic functionality required to perform its ransomware objective.” “It’s size and simplicity is also a strength, however; at the time we ran the malware dynamically, it wasn’t detected by the system’s built-in antivirus,” Cado’s Matt Muir explained. 

Cado Security CTO Chris Doman said the distribution of Khonsari was limited and the server that originally delivered the ransomware is now serving a more generic backdoor.”As others have noted the contact information in the ransomware note are likely to be fake, and possibly even a false flag. Microsoft has reported that they have seen CobaltStrike delivered — a backdoor favored by targeted ransomware gangs. And Sekoia have said that they the LockBit ransomware crew are likely looking to exploit the vulnerability too,” Doman said. Ransomware expert Brett Callow called Khonsari “skid-level ransomware” but noted that it’s safe to assume other actors attempting to exploit this vulnerability will be more advanced. “Not all will be ransomware gangs. Threat actors of all stripes are attempting to find ways to use Log4j to their advantage,” Callow said. McAfee Enterprise and FireEye Chief Scientist Raj Samani told ZDNet that most of the payloads attacking Log4j are predominantly nuisances. But the ease with which Khonsari can be deployed — and the prevalence of vulnerable systems — means payloads could become more destructive.”We do expect unpatched systems to continue to be exploited with a high likelihood of ransomware as a malicious payload,” said McAfee Enterprise and FireEye head of advanced threat research Steve Povolny.  Web servers are the most common systems under attack right now because they’re easy to exploit and have a good return on investment, said ESET’s Marc-Étienne Léveillé. He added that in the next few weeks, we’ll probably discover other software using Log4j that’s vulnerable. Security researchers are already seeing more sophisticated groups exploiting the vulnerability. Adam Meyers, SVP of intelligence at CrowdStrike, said his team observed Iran-based, state-sponsored actor Nemesis kitten deploy a class file into a server that could be triggered by Log4J. “CrowdStrike has previously observed Nemesis Kitten attempt both disruptive and destructive attacks,” Meyers added.Sophos senior threat researcher Sean Gallagher explained that so far, Log4Shell attackers have been focused on cryptomining, calling this the “lull before the storm””We expect adversaries are likely grabbing as much access to whatever they can get right now… to monetize and/or capitalize on it later on,” Gallagher said. “The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems.”He added, “This vulnerability can be everywhere.” More