A week after the public disclosure of the Log4j vulnerability, exploitation activity is continuing to expand, with several known state attack groups from China, Iran and elsewhere targeting vulnerable systems and in some cases deploying ransomware on compromised systems.
For the first few days after the disclosure of the flaw (CVE-2021-44228) in the Apache Log4j library, most of the activity around it was mass scanning as actors tried to find vulnerable Internet-facing hosts. There was some exploitation, as well, but now that activity has moved to another phase, as APT groups from several different countries have entered the fray.
“In the wake of the vulnerability disclosure, financially motivated actors involved in cryptocurrency mining were among the first to exploit targets en masse. We anticipate that additional financially motivated actors will increasingly exploit the vulnerability in operations, leading to various monetization activities. This includes data theft, ransomware deployment, and multifaceted extortion, as these actors are known to incorporate zero-day and one-day exploits into their operations rapidly,” Mandiant’s Matthew McWhirt and John Hultquist said in a post.
Microsoft Threat Intelligence Center researchers have observed known actors from Iran, China, North Korea, and Turkey exploiting the Log4j flaw and conducting a variety of post-exploitation activities.
“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives. For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications,” the MSTIC said in a post on the attacks.
“In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.”
Both Phosphorus and Hafnium are highly active threat groups that have engaged in cyberespionage, data theft, and long-term intrusion campaigns. Each group acts in the interests of its respective government, and given the nature and severity of this vulnerability and the difficulty in identifying all potentially vulnerable apps and systems, the potential for long-term exploitation activity against this flaw is high.
In some cases, actors are deploying the Khonsari ransomware on compromised systems. Those intrusions have mainly been on Minecraft servers, which typically don’t live in enterprise networks, but there is potential for ransomware deployment in other situations, too. Some of the exploitation activity that researches have seen has been by initial access brokers, attackers who compromise target networks and then sell that access to other groups that perform post-exploitation activity.
“MSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms,” Microsoft said.
While the immediate need to identify vulnerable systems and patch them, if possible, is occupying most of the time for security and incident response teams right now, researchers expect the Log4j exploit activity to stretch on for months and possibly years.
“I think this Log4j vulnerability, while we're screaming about this and kind of on fire right now, we're at the very, very front of this. We will see this continue for this week potentially next month, months following that maybe years. Truthfully I don't know. There's a very real possibility that software packages and code that isn't maintained anymore legacy software applications that are just dead, they're not going to end up pushing a software patch or remediation,” John Hammond, senior security researcher at Huntress, said in a podcast with Decipher this week.
As if to illustrate the difficulty of the issue, researchers have discovered that the updated version of Log4j, 2.15.0, which addresses the vulnerability, has its own weaknesses. On Tuesday, Apache issued a new vulnerability report for a denial-of-service flaw in that version (CVE-2021-45046). But researchers at Praetorian discovered that an attacker can also steal sensitive information from systems under some circumstances.
"However, in our research we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances. We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible," Nathan Sportsman of Praetorian wrote in a post.