The Log4j Vulnerability Is Now Used by State-Backed Hackers
The Threat Actors Are Linked to Governments in China, Iran, North Korea, and Turkey.
Last updated on June 23, 2022
The vulnerability, officially tagged as CVE-2021-44228 and called Log4Shell or LogJam, is an unauthenticated RCE vulnerability that allows total system takeover on systems running Log4j 2.0-beta9 through 2.14.1.
Nation-state hackers of various sorts have pounced on the recently reported major vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging framework.
Cryptocurrency mining organizations and botnets were among the first threat actors to use Log4Shell to deliver payloads, launching attacks as soon as the proof-of-concept exploit code was published.
Microsoft Threat Intelligence Center (MSTIC) observed the critical Log4j bug being exploited to drop Cobalt Strike beacons. As reported by BleepingComputer, MSTIC revised the report to include that it observed nation-state activity using Log4Shell, sometimes during active assaults.
MSTIC updated the report on Tuesday to add that it detected nation-state activity using Log4Shell, sometimes in active attacks. The researchers tracked groups “groups originating from China, Iran, North Korea, and Turkey.”
MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.
For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.
In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
As previously reported, Log4Shell was utilized in a ransomware campaign by a new actor called Khonsari.
According to current information, Khonsari may be used to delete data rather than encrypt it since its ransom letter provides contact information for a Louisiana antique store owner rather than the attacker.
The Cybersecurity Infrastructure Security Agency (CISA) has instructed government agencies to patch systems immediately since the flaw has a maximum severity level and may be exploited remotely without authentication to take complete control of a susceptible system.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.