IOTW: Attackers exploit Log4j vulnerability

Threat actors have taken no time to exploit the Log4j vulnerability that was uncovered in early December.

As security teams race to patch against the Log4j vulnerability, some still need to implement fixes.

On 22 December, US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the UK have released a joint Cyber Security Advisory in response to multiple vulnerabilities in Apache’s Log4j software library.

In addition, the US Department of Homeland Security (DHS) has also expanded the scope of its Hack DHS bug bounty program to include additional incentives to find and patch Log4j related vulnerabilities. The program looks to identify potential cyber security vulnerabilities within certain DHS systems and increase the Department’s cyber security resilience.

The CISA has noted that malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (Log4Shell), CVE-2021-45046n and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.

Attacks

Patching has been hailed as the top priority to stop the vulnerability leading to an attack but threat actors have already taken the opportunity to exploit it.

The Belgian Ministry of Defence confirmed that it had fallen victim to a cyber-attack via a Facebook post on 20 December in which it said requests via the www.mil.be website were affected.

It has been widely reported that the attack to the ministry’s IT network was a result of the Log4j vulnerability.

Check Point Software Technologies has also posted a blog saying it has detected a number of attacks exploiting the Log4j vulnerability. These include the mining of cryptocurrencies.

“While most detected miners attacks were Linux-based, Check Point researchers also detected an attack involving a .NET-based malware. This specific attack affected 5 victims in the finance, banking, and software industries in countries including Israel, United States, South Korea, Switzerland and Cyprus,” Check Point said in its 14 December blog.

The company said that attempts to exploit the vulnerability will likely continue to evolve in the future.

Ransomware groups exposed

The vulnerability is also being exploited by ransomware gangs like the Conti ransomware group.

In an article, cyber security firm AdvIntel said it has discovered the Log4j exploitation by the sophisticated ransomware group for initial access and lateral movement targeting VMware vCentre.

On December 12, AdvIntel discovered that multiple Conti group members expressed interest in the exploitation of the vulnerability for the initial attack vector resulting in the scanning activity leveraging the publicly available Log4J2 exploit.

As noted by AdvIntel, it is only a matter of time until Conti and others will begin exploiting Log4j to its full capacity.
Patching remains the recommended path forward.

Leave a Reply