According to Microsoft, state-sponsored hackers from China, Iran, North Korea, and Turkey have begun testing, exploiting and using Log4j vulnerabilities to deploy malware, including ransomware.
As U.S. Cybersecurity and Infrastructure Security Agency (CISA) officials forecast, More sophisticated attackers are now beginning to exploit the so-called Log4Shell vulnerability (CVE-2021-44228), which affects devices and applications running vulnerable versions of the Log4j Java library. This is a powerful flaw that allows a remote attacker to take over the device after being threatened.
CISA officials warned on Tuesday that Hundreds of millions of corporate and consumer devices are at risk Until the vulnerability is fixed.
LOG4J defect coverage-what you need to know now
So far, most of the attacks Microsoft has observed are related to large-scale scans by attackers trying to fingerprint vulnerable systems and scans by security companies and researchers.
“The vast majority of activities observed are scanning, but exploitation and post-exploitation activities have also been observed. Depending on the nature of the vulnerability, once an attacker has full access and control of the application, they can perform countless goals. The activities observed by Microsoft include Install coin miners, Cobalt Strike to achieve credential theft and lateral movement, as well as steal data from infected systems,” Microsoft said.
Its easy-to-use and widely distributed products make it an attractive target for sophisticated criminals and state-backed attackers.
It is the latter group that is now beginning to exploit the vulnerability.
Microsoft said: “The scope of this activity ranges from experiments in the development process, integration of vulnerabilities, to deployment of payloads in the field, and the use of targets to achieve participants’ goals.”
Microsoft has turned its focus to the Iranian hacker group it tracks as Phosphorous, which recently Increase the use of file encryption tools to deploy ransomware on the targetAccording to the Microsoft Threat Intelligence Center (MSTIC), the organization has obtained and modified the Log4j vulnerability for use.
“We assess that phosphorus has implemented these changes,” MSTIC notes.
Hafnium, a hacker attack supported by Beijing Behind the Exchange Server Vulnerability This Year, Has also been using Log4Shell to “expand their typical goals for virtualized infrastructure.”
Microsoft sees that the system used by Hafnium uses a domain name server (DNS) service to identify the system.
Log4Shell error Disclosed on December 9th by the Apache Software Foundation. CERT New Zealand reported that the vulnerability is being actively exploited. Apache released a patch last week. However, vendors including Cisco, IBM, Oracle, and VMware still need to integrate patches into their own affected products before customers can deploy them.
The MSTIC and Microsoft 365 Defender teams also confirmed that “access brokers”-groups that sell or rent access to infected machines-have been using Log4j flaws to gain a foothold in targeted networks on Linux and Windows systems. This type of access is often sold to ransomware groups looking for victims; security company BitDefender Report A new type of ransomware called Khonsari is already trying to exploit the Log4j vulnerability.
yesterday Published its list on GitHub Products affected by Log4Shell flaws follow similar List of Dutch cybersecurity agencies (NCSC) was released earlier this week. CISA lists the vendor, product, version, vulnerability status, and availability of updates.
LOG4J defect coverage-how to keep your company safe
The U.S. list will be a convenient tool for organizations to repair affected devices, especially the U.S. Federal Agency Yesterday, CISA under the Department of Homeland Security ordered Test which internal applications and servers are susceptible to this error before December 24th.
Cisco customers will be busy rolling out patches in the next few weeks. For example, just look at Cisco’s list of affected products to highlight the future work of the agency team, who must list the affected systems before the Christmas holiday. The CISA list also includes a large number of affected VMware virtualization software tools, most of which have no available patches.
Dozens of Cisco software and networking products have been affected. Cisco released a patch for Webex Meetings Server yesterdayThere are also patches for Cisco CX cloud proxy software.
Other affected Cisco products without patches include Cisco’s AMP virtual private cloud appliance, its advanced network security reporting application, Firepower Threat Defense (FTD) and Cisco Identity Services Engine (ISE). Some network infrastructure management and supply products are also vulnerable, and patches are scheduled to be released on December 21 and beyond.
