APT Actors and Access Brokers Actively Exploiting Log4j Zero-day

Microsoft has issued a warning that multiple threat actors have been scanning for systems that have not had the Log4j zero-day vulnerability (CVE-2021-44228) patched and have been conducting attacks to gain access to victims’ networks.  Nation-state hacking groups are attempting to exploit the ‘Log4Shell’ vulnerability to install malware on victims’ systems. Microsoft has observed Advanced Persistent Threat (APT) actors linked to China (Hafnium), Iran (Phosphorus/Charming Kitten), North Korea, and Turkey exploiting the flaw to gain a foothold in victims’ networks. The APT groups are known to conduct attacks for espionage purposes but some, such as Phosphorus, are also known to conduct ransomware attacks.

Several cyber threat actors known to act as initial access brokers have also been detected exploiting the Log4j vulnerability to gain access to Windows and Linux systems, and operators of botnets have also been exploiting the vulnerability to compromise devices and add them to their botnets. Access brokers and botnet operators work with ransomware gangs and sell access to compromised devices, which is likely to mean that there will be an increase in ransomware attacks over the coming weeks. Threat actors have also been exploiting the vulnerability to drop cryptocurrency miners on victims’ systems, and threat actors have been observed dropping Cobalt Strike beacons. The vulnerability may also be exploited in more destructive attacks, such for deploying wipers.

Rapid7 said it has identified at least 70 different malware families being deployed by exploiting the vulnerability and that at least 1.8 million attacks have been conducted exploiting the Log4Shell vulnerability. Security researcher Greg Linares said he has seen evidence that a self-propagating worm is being developed, “Based on what I’ve seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours… Self propagating with the ability to stand up a self hosted server on compromised endpoints. In addition to spraying traffic, dropping files, it will have c2c,” said Linares.

Given the severity of the vulnerability and the ease at which it can be exploited, it is no surprise that so many threat actors have been taking advantage of the opportunity the vulnerability offers and it is likely attacks exploiting the vulnerability will continue for many weeks.  The Cybersecurity and Infrastructure Security Agency (CISA) has recently ordered all federal agencies to implement the patch to fix the vulnerability before Christmas to prevent exploitation, although that may well be too late for some agencies given the rate at which threat actors are exploiting the vulnerability.

The U.S. Department of Health and Human Services has recently issued an alert urging healthcare organizations to take immediate action and scan for vulnerable systems and address the vulnerability. The healthcare industry has been extensively targeted by ransomware gangs this year, and unpatched systems are likely to be targeted. One of the main issues with this vulnerability is many software solutions have Log4j embedded. In healthcare, which often relies on legacy solutions, it is possible that the vulnerability will never receive a patch, and users of outdated software may not even be aware that their software solutions are vulnerable.

UPDATE: The patch to fix the critical Log4Shell vulnerability in the Log4j Java-based logging utility (CVE-2021-44228) did not fully correct the vulnerability which meant certain non-default configurations of Log4j were still vulnerable. The 9.0 severity bug was assigned CVE – CVE-2021-45046 and was corrected in version 2.16.0, although version 2.17.0 has now been released which corrects a third vulnerability, a 7.5 severity DoS issue tracked as  CVE-2021-45105.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news