The Log4j Vulnerability Is Now Used by State-Backed Hackers
The Threat Actors Are Linked to Governments in China, Iran, North Korea, and Turkey.
The vulnerability, officially tagged as CVE-2021-44228 and called Log4Shell or LogJam, is an unauthenticated RCE vulnerability that allows total system takeover on systems running Log4j 2.0-beta9 through 2.14.1.
Nation-state hackers of various sorts have pounced on the recently reported major vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging framework.
Microsoft Threat Intelligence Center (MSTIC) observed the critical Log4j bug being exploited to drop Cobalt Strike beacons. As reported by BleepingComputer, MSTIC revised the report to include that it observed nation-state activity using Log4Shell, sometimes during active assaults.
MSTIC updated the report on Tuesday to add that it detected nation-state activity using Log4Shell, sometimes in active attacks. The researchers tracked groups “groups originating from China, Iran, North Korea, and Turkey.”
MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.
For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.
In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
Microsoft has established that brokers that provide initial network access to a variety of parties, most of whom are financially motivated, have begun to exploit the Log4j bug.
Typically, initial access brokers engage with ransomware-as-a-service (RaaS) operators, to whom they sell access to infiltrated enterprise networks.
As previously reported, Log4Shell was utilized in a ransomware campaign by a new actor called Khonsari.
According to current information, Khonsari may be used to delete data rather than encrypt it since its ransom letter provides contact information for a Louisiana antique store owner rather than the attacker.
The Cybersecurity Infrastructure Security Agency (CISA) has instructed government agencies to patch systems immediately since the flaw has a maximum severity level and may be exploited remotely without authentication to take complete control of a susceptible system.