Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.
Up until now, it was largely accepted that mere private miscreants, criminal gangs, and security researchers were mostly scanning the internet for systems and services vulnerable to CVE-2021-44228 in the open-source logging library widely used by Java applications. Network observers say they've seen tens of thousands of attempts per minute. Successful exploitation may result in the installation of ransomware and cryptocurrency miners, the theft of cloud credentials and other information, and so on.
On Tuesday, the Microsoft Threat Intelligence Center (MSTIC) pointed the finger at specific countries, saying they are using the security bug to spread extortionware, test exploit code, and infiltrate networks:
MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.
For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.
In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
Phosphorous is the Iranian group accused of trying to infiltrate online accounts of those involved in the US presidential elections last year. Hafnium is the Chinese team said to have exploited holes in Microsoft Exchange Server around the start of this year. Of course, Western agencies wouldn't dream of abusing this hole in the wild.
Earlier this week, Kaspersky Lab and Bitdefender said it had seen attempts to attack Log4j deployments coming from Russian IP addresses, though we note it's not terribly difficult to route connections through nodes in the land of President Putin. Mandiant also said it has seen exploitation attempts from black-hat hackers linked to Beijing and Tehran.
Yes, attribution is hard and all that. But it's interesting this is coming to light as the US government's Cybersecurity and Infrastructure Security Agency tells all federal civilian agencies to take care of CVE-2021-44228 by December 24, 2021. That's quite a tight deadline. Version 2.16 of Log4j 2.x is available that disables the vulnerable functionality by default and removes the insecure message lookup code completely.
The programming blunder has been added to CISA's known exploited vulnerabilities catalog.
Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?READ MORE
This security flaw is one of the worst, if not the worst, in a decade or more: there are going to be long-term repercussions as systems thought to be free of the bug turn out to be vulnerable and are exploited months or years later.
Organizations need to not only locate installations of services and applications that deep down use Log4j and patch them, but also investigate whether or not they were compromised, what information was at risk if that happened, and perhaps even just assume they were compromised and work from there.
CISA has a bunch of useful resources here on GitHub, including a big list of affected software and products and related advisories – from Amazon cloud services to VMware tools.
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library," CISA Director Jen Easterly said over the weekend.
"This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.
"Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates."
So far, CISA says it is not aware of any US federal government agencies suffering a security breach from Log4j. ®
- Internet Explorer
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Office 365
- Patch Tuesday
- SQL Server
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360