As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others

Microsoft says cyber-spies linked to Beijing, Tehran are getting busy with security flaw along with world + dog

Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.

Up until now, it was largely accepted that mere private miscreants, criminal gangs, and security researchers were mostly scanning the internet for systems and services vulnerable to CVE-2021-44228 in the open-source logging library widely used by Java applications. Network observers say they've seen tens of thousands of attempts per minute. Successful exploitation may result in the installation of ransomware and cryptocurrency miners, the theft of cloud credentials and other information, and so on.

On Tuesday, the Microsoft Threat Intelligence Center (MSTIC) pointed the finger at specific countries, saying they are using the security bug to spread extortionware, test exploit code, and infiltrate networks:

MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.

For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.

In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.

Phosphorous is the Iranian group accused of trying to infiltrate online accounts of those involved in the US presidential elections last year. Hafnium is the Chinese team said to have exploited holes in Microsoft Exchange Server around the start of this year. Of course, Western agencies wouldn't dream of abusing this hole in the wild.

Earlier this week, Kaspersky Lab and Bitdefender said it had seen attempts to attack Log4j deployments coming from Russian IP addresses, though we note it's not terribly difficult to route connections through nodes in the land of President Putin. Mandiant also said it has seen exploitation attempts from black-hat hackers linked to Beijing and Tehran.

Yes, attribution is hard and all that. But it's interesting this is coming to light as the US government's Cybersecurity and Infrastructure Security Agency tells all federal civilian agencies to take care of CVE-2021-44228 by December 24, 2021. That's quite a tight deadline. Version 2.16 of Log4j 2.x is available that disables the vulnerable functionality by default and removes the insecure message lookup code completely.

The programming blunder has been added to CISA's known exploited vulnerabilities catalog.

Cloud money

Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?


This security flaw is one of the worst, if not the worst, in a decade or more: there are going to be long-term repercussions as systems thought to be free of the bug turn out to be vulnerable and are exploited months or years later.

Organizations need to not only locate installations of services and applications that deep down use Log4j and patch them, but also investigate whether or not they were compromised, what information was at risk if that happened, and perhaps even just assume they were compromised and work from there.

CISA has a bunch of useful resources here on GitHub, including a big list of affected software and products and related advisories – from Amazon cloud services to VMware tools.

“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library," CISA Director Jen Easterly said over the weekend.

"This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.

"Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates."

So far, CISA says it is not aware of any US federal government agencies suffering a security breach from Log4j. ®

Other stories you might like

  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading
  • James Webb Space Telescope has arrived at its new home – an orbit almost a million miles from Earth

    Funnily enough, that's where we want to be right now, too

    The James Webb Space Telescope, the largest and most complex space observatory built by NASA, has reached its final destination: L2, the second Sun-Earth Lagrange point, an orbit located about a million miles away.

    Mission control sent instructions to fire the telescope's thrusters at 1400 EST (1900 UTC) on Monday. The small boost increased its speed by about 3.6 miles per hour to send it to L2, where it will orbit the Sun in line with Earth for the foreseeable future. It takes about 180 days to complete an L2 orbit, Amber Straughn, deputy project scientist for Webb Science Communications at NASA's Goddard Space Flight Center, said during a live briefing.

    "Webb, welcome home!" blurted NASA's Administrator Bill Nelson. "Congratulations to the team for all of their hard work ensuring Webb's safe arrival at L2 today. We're one step closer to uncovering the mysteries of the universe. And I can't wait to see Webb's first new views of the universe this summer."

    Continue reading
  • LG promises to make home appliance software upgradeable to take on new tasks

    Kids: empty the dishwasher! We can’t, Dad, it’s updating its OS to handle baked on grime from winter curries

    As the right to repair movement gathers pace, Korea’s LG has decided to make sure that its whitegoods can be upgraded.

    The company today announced a scheme called “Evolving Appliances For You.”

    The plan is sketchy: LG has outlined a scenario in which a customer who moves to a locale with climate markedly different to their previous home could use LG’s ThingQ app to upgrade their clothes dryer with new software that makes the appliance better suited to prevailing conditions and to the kind of fabrics you’d wear in a hotter or colder climes. The drier could also get new hardware to handle its new location. An image distributed by LG shows off the ability to change the tune a dryer plays after it finishes a load.

    Continue reading

Biting the hand that feeds IT © 1998–2022