Nation-State Attackers Wielding Log4j Against TargetsExploits Trace to China, Iran, North Korea, Turkey; Minecraft Servers Get Ransomware
The imperative to find and patch all instances of a vulnerability in widely used Apache software continues to grow.
Cybersecurity experts are warning that a number of attackers tied to nation-states appear to be actively abusing or testing the Apache Log4j vulnerability. Criminal groups have also begun to target the flaw to drop malicious code, including crypto-locking malware, and well-known access brokers are using the flaw to gather enterprise access credentials for sale to other attackers, including ransomware groups, some experts warn.
Maintained by the nonprofit Apache Software Foundation, Log4j provides logging capabilities for Java applications and is widely used, including for Apache web server software. The years-old flaw is present in the Apache Log4j library, versions 2.0-beta9 to 2.14.1, and the U.S. Cybersecurity and Infrastructure Security Agency said organizations should treat fixing it with the highest priority.
On Thursday, John Graham-Cumming, CTO of web infrastructure provider Cloudflare, said the company was tracking more than 100,000 attempts to scan for or exploit Log4j per minute.
Sadly, scanning and exploiting the #Log4Shell vulnerabilities has increased past 100k blocked attacks per minute (peaks of >2,000 per second) and today looks like the most active day since this became public. pic.twitter.com/BwVLndrFt8— John Graham-Cumming (@jgrahamc) December 16, 2021
Designated CVE-2021-44228, the vulnerability "exists in the action the Java Naming and Directory Interface - JNDI - takes to resolve variables," CISA says. "Affected versions of Log4j contain JNDI features - such as message lookup substitution - that 'do not protect against adversary-controlled lightweight directory access protocol - LDAP - and other JNDI-related endpoints,'" according to the U.S. government's vulnerability details.
The EU agency for cybersecurity, ENISA, says that "due to the nature of the vulnerability, its ubiquity and the complexity of patching in some of the impacted environments," it's imperative for all organizations to "assess their potential exposure as soon as possible."
But it's not clear when that will be possible, says Mandiant CTO Charles Carmakal. "Organizations are challenged with identifying all of the vulnerable Log4j instances across their enterprise. Patching isn't trivial. Many vendors are still determining whether their software uses Log4j, as organizations eagerly wait to know if they should apply emergency patches," he says. "Closed box systems, vendor-managed systems and software that's no longer maintained - but still running in test or even production environments - adds to the complexity and pain."
The impetus to mitigate the flaw and apply patches as soon as possible has been growing, after cybersecurity firms CrowdStrike and Mandiant this week warned that they have seen Chinese and Iranian APT groups targeting the CVE-2021-44228 vulnerability.
On Wednesday, Microsoft reported seeing a bevy of APT activity, tracing not just to China and Iran but also to attackers affiliated with North Korea and Turkey.
"This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor's objectives," Microsoft says.
For example, Microsoft says it's seen an Iranian APT group known as Charming Kitten, Phosphorus and TA453, "acquiring and making modifications of the Log4j exploit," and it believes the group may now be using the attack code for in-the-wild attacks.
Microsoft also says it's seen an Chinese APT groups Hafnium, aka APT31, as well as APT40 using the exploit to identify new targets. The group was tied to a series of zero-day attacks against Exchange servers early this year, launched via leased virtual private servers largely in the U.S.
In the latest attacks, "Hafnium-associated systems were observed using a DNS" - or domain name lookup - "service typically associated with testing activity to fingerprint systems," Microsoft says.
Criminals have also been targeting the flaw to deploy malware on Linux systems as well as .NET ransomware called Khonsari against Windows endpoints, as security firm Bitdefender has detailed.
Attackers have also been hitting Minecraft servers that are not managed by Microsoft, the company's security researchers warn, saying the goal of the attacks appears to be not just to deploy Khonsari ransomware on the servers, but also to gather credentials for later use.
"While it's uncommon for Minecraft to be installed in enterprise networks, we have also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials," it says. "These techniques are typically associated with enterprise compromises with the intent of lateral movement. Microsoft has not observed any follow-on activity from this campaign at this time, indicating that the attacker may be gathering access for later use."
Well-known initial access brokers have also been targeting the flaw to gain access to enterprise networks. "These access brokers then sell access to these networks to ransomware-as-a-service affiliates" and others, Microsoft says.
Guidance: Update to 2.16
To fix the flaw, Apache on Friday released Log4j version 2.15.0. But on Monday, Apache then released Log4j version 2.16, which includes a fix for a newly found flaw, CVE-2021-45046, that could be used to create a denial-of-service attack.
Experts recommend that organizations first apply the version 2.16.0 patch to anything that hasn't yet been updated to 2.15.0, and then update all version 2.15 systems to 2.16 (see: How to Patch Log4j Now That Version 2.16 Has Been Released).
"We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity," CISA Director Jen Easterly said.
CISA has added CVE-2021-44228 to its list of known-to-be-exploited vulnerabilities. Doing so "compels federal civilian agencies - and signals to nonfederal partners - to urgently patch or remediate this vulnerability," Easterly said.
"We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability," she said.
CISA has urged any U.S. organization that suffers a Log4j attack to immediately report the incident to CISA or the FBI.
Also, CISA is continuing to offer updated Apache Log4j vulnerability guidance, and is maintaining a list of software known to be affected as well as software not affected, which currently features more than 750 entries.
Imperative: Rapid Mitigation and Patching
CISA has given federal civilian executive branch agencies a tough deadline to patch the CVE-2021-44228 vulnerability: Dec. 24. It also has urged them to immediately deploy web application firewalls to block attack attempts and to sound security operations center alarms if such attacks hit the network.
Numerous vendors and software development projects that use the software, however, have yet to determine if their tools are vulnerable and prepare a patch. Before applying any patches, experts say organizations must assume attackers have already used the flaw against them, until proven otherwise. "Patching doesn't remove the existing compromise," says Jake Williams, CTO at cybersecurity firm BreachQuest.
Due to the flaw's ubiquity and the need for so many different pieces of software to be updated, John Hultquist, Mandiant's vice president of intelligence analysis, expects the impact of this flaw to be felt for some time. He says: "The effects of this vulnerability will reverberate for months to come - maybe even years - as we try to close these doors and try to hunt down all the actors who made their way in."