Log4j: Belgian Defense Ministry Reports It Was 'Paralyzed'Ministry of Defense Says Attack Relates to Widespread Apache Flaw
The Belgian Ministry of Defense, which is responsible for national defense and the Belgian military, announced on Monday that it has fallen victim to a cyberattack officials say relates to the widespread Apache Log4j vulnerability. The attack reportedly "paralyzed the ministry's activities for several days."
In comments provided to the Belgian newspaper De Standaard, a military spokesperson said an attack on the ministry's IT network was first detected last Thursday, and "quarantine measures" were taken to isolate affected areas. It is not known if this was a ransomware incident.
The ministry told the Belgian newspaper that the cyberattack stemmed from Apache's Log4j - which provides logging capabilities for Java applications and is widely used, including for Apache web server software.
Belgian Commander Olivier Séverin also told the outlet, "All weekend our teams have been mobilized to control the problem, continue our activities and warn our partners."
Taking to Facebook in the wake of the attack, the Ministry of Defense writes, "Due to technical issues, we are unable to process your requests via mil.be or answer your queries via Facebook. We are working on a resolution and we thank you for your understanding."
Representatives for both the ministry and Defense Minister Ludivine Dedonder did not respond to Information Security Media Group's request for comment. Belgian officials also did not elaborate on the attack's specifics with De Standaard.
The Belgian incident is one of the first high-profile attacks stemming from the Log4j vulnerability, although cybersecurity experts have warned of active scanning and exploitation of the remote code execution vulnerability.
Dangerously High Severity
The vulnerability, initially tracked as CVE-2021-44228 and detected in the Java logging library Apache Log4j, can result in full server takeover and leaves countless applications vulnerable. The component is used to log events and is part of tens of thousands of deployed applications and cloud-based services. CVE-2021-44228 has a 10 severity rating on a scale of 1 to 10, as attackers can remotely exploit it without any input from the victim, and it requires limited technical ability to deploy.
Since the flaw was discovered, the nonprofit that maintains Log4j, the Apache Software Foundation, has released several new versions - including 2.17, the latest - to fix subsequent, high-severity denial-of-service vulnerabilities.
The latest patch follows an emergency directive issued by the U.S. Cybersecurity and Infrastructure Security Agency, requiring federal civilian departments and agencies to "immediately" patch their systems or implement appropriate mitigation measures. CISA previously gave agencies until Friday to patch against Log4j exploits via its Known Exploited Vulnerabilities Catalog (see: CISA to Agencies: Patch Log4j Vulnerability 'Immediately').
Dridex, Meterpreter Used in Attacks
The security research group Cryptolaemus has now made the connection between the Log4j vulnerability and Dridex banking malware, along with the Meterpreter pen-testing tool for Linux devices, which can potentially allow for lateral movement and data exfiltration.
We have verified distribution of #Dridex 22203 on Windows via #Log4j #Log4Shell. Class > MSHTA > VBS > rundll32.— Cryptolaemus (@Cryptolaemus1) December 20, 2021
Payload URLs: https://t.co/RoZubNKUs5
DLL sample: https://t.co/6P8aHdim8v
HTA > DLL run: https://t.co/KdGZfmHkMN pic.twitter.com/IsoYWfdKcq
There has been no shortage of new attack attempts arising from the exploit of Log4Shell, including nation-state activity and cybercrime groups launching new phishing campaigns. Some experts said last week they were detecting some 100,000 attack attempts per minute related to Log4j (see: Apache Log4j: New Attack Vectors, Ransomware Seen).
Dridex, tracked by CISA as AA19-339A, has been used in tandem with the Log4j vulnerability by threat actors to launch attacks on Windows systems. Experts say malware operators are also using tools such as Meterpreter for persistence on networks, including Linux devices.
One of the most widely deployed malware strains against financial institutions, Dridex was first detected in 2012, according to CISA. Early Dridex versions were used for intercepting customer transactions and gathering login credentials. The banking Trojan has since been used to infect devices with ransomware and has been linked to the notorious Russian hacking group Evil Corp.
Attackers have traditionally pushed Dridex malware through phishing campaigns, and it has been linked to a variety of tactics, techniques and procedures, or TTPs, including installing keylogging software and launching crypto-locking malware attacks, CISA says.
One identifier of the Dridex threat actors leveraging the Log4Shell vulnerability includes file names and URLs labeled with derogatory terms - including religious and racial slurs - as first reported by Bleeping Computer.
If the exploit is unable to launch Windows commands, the malware assumes it is instead a Linux device and executes a Python script. Threat actors are also reportedly installing the pen-testing tool Meterpreter to connect to a compromised server and remotely execute commands, Bleeping Computer reported.
For the latest news and mitigation strategies from Information Security Media Group's reporting on the Log4j vulnerability, visit the updated thread, here.