{"id":20269,"date":"2021-12-16T20:00:03","date_gmt":"2021-12-16T20:00:03","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=20269"},"modified":"2021-12-23T19:06:10","modified_gmt":"2021-12-23T19:06:10","slug":"nation-state-ransomware-groups-apache-log4j","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/nation-state-ransomware-groups-apache-log4j\/","title":{"rendered":"Nation-State Attackers, Ransomware Groups Take Aim at Apache Log4j Flaw"},"content":{"rendered":"

Nation-state cyber threat groups and ransomware<\/a> attackers are moving in to exploit a critical flaw found in the seemingly ubiquitous Apache Log4j open-source logging tool, as attacks spread<\/a> just days after the vulnerability that could affect hundreds of millions of devices was made public late last week<\/a>.<\/p>\n

Microsoft researchers reported<\/a> that the remote code execution (RCE) vulnerability is being exploited by nation-state groups associated with China, North Korea, Iran and Turkey, with the activity that includes \u201cexperimentation during development, integration of the vulnerability to in-the-wild payload<\/a> deployment, and exploitation against targets to achieve the actor\u2019s objectives.\u201d<\/p>\n

The vulnerability can be abused to enable an attacker to gain control of a targeted system.<\/p>\n

Two of the known groups include Phosphorous from Iran and Hafnium from China. According to Microsoft, Phosphorous has been deploying ransomware and acquiring and making modifications to the Log4j exploit. In addition, Hafnium \u201chas been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting,\u201d the researchers wrote in the blog post. \u201cIn these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.\u201d<\/p>\n

Log4j Patching, Scanning Success Reported<\/h2>\n

Update:<\/strong> In one positive and unexpected development, external attack surface management company Cyberpion reported that enterprises are patching the Log4j vulnerabilities unusually fast, if imperfectly.<\/p>\n

Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a scanning tool<\/a> to “help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.”<\/p>\n

Cyberpion scanned more than 500 enterprises to assess their exposure to the flaw in relation to their connected, third-party online assets and infrastructures. The vast majority (95%) of organizations were connected to external vulnerable infrastructure, yet while 3% of their third-party assets were exposed as of Dec 11th, this had fallen to just 0.11% as of Dec. 16.<\/p>\n

To quickly block the attack, firewall rules were added by many security teams, though some could easily be bypassed with slightly more sophisticated payloads, indicating that many vulnerabilities still exist and can still be exploited, the company said.<\/p>\n

\"log4j
Log4j patching speed (source: Cyberpion)<\/figcaption><\/figure>\n

Also read: Best Patch Management Software<\/a><\/p>\n

Expanding Log4j Attacks<\/strong><\/h2>\n

At the same time, cybersecurity professionals are reporting that bad actors are expanding the range of attacks they\u2019re launching against the zero-day<\/a> Log4j exploit, which is being tracked as CVE-2021-44228<\/a> and has been dubbed Log4Shell. Apache is tracking vulnerabilities<\/a> as they emerge, and VMware has issued its own advisory<\/a>.<\/p>\n

Bitdefender researchers wrote in a blog post<\/a> that early exploit attempts have involved cryptojacking<\/a> and botnets, such as the Muhstik botnet.<\/p>\n

However, while most of the attacks seen are targeting Linux servers, there are emerging attacks aimed at Windows systems, including a new ransomware family called Khonsari, which was first observed Dec. 11 as a malicious .NET binary file.<\/p>\n

Microsoft researchers also wrote that multiple groups acting as access brokers are using Log4Shell to gain initial access to target networks and then \u201csell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.\u201d<\/p>\n

Like Bitdefender, Microsoft also has seen the flaw absorbed into existing botnets, such as Mirai<\/a>.<\/p>\n

Greg Linares, principal software architect at Cylance, said in a tweet<\/a> that he expects a worm to be developed within the next day or so that leverages the Log4j flaw.<\/p>\n

Also read: Top Vulnerability Management Tools<\/a><\/p>\n

Escalation of Exploit Attempts<\/strong><\/h2>\n

Overall, the pace and range of attacks are growing rapidly. Security researchers at Check Point Software in a blog post<\/a> said that after the first weaponized proof-of-concepts (POCs) illustrating the vulnerability hit the internet on Dec. 9, there were reports of thousands of attacks the next day, expanding to more than 800,000 attacks after 72 hours.<\/p>\n

Since Check Point began implementing its protection, the company in three days had prevented more than 1.8 million attempts to \u201callocate the vulnerability,\u201d with more than 46 percent of the attempts being made by known malicious groups, they wrote.<\/p>\n

There have been attempted exploits of the Log4j vulnerability on more than 44 percent of all corporate networks worldwide, according to Check Point.<\/p>\n

\u201cThree days after the outbreak, we are summing up what we see until now, which is clearly a cyber pandemic that hasn\u2019t seen its peak yet,\u201d they wrote.<\/p>\n

\"Log4j
Growing Log4j attacks<\/figcaption><\/figure>\n

In a tweet<\/a> the same day, Cloudflare CEO Matthew Prince said the situation may be even more dire. Prince said his company is seeing more than 400 attempted exploits per second and that \u201cpayloads getting scarier. Ransomware payloads started in force in last 24 hours.\u201d<\/p>\n

Second Vulnerability Detected<\/strong><\/h2>\n

Complicating the matter even more is a second Log4j vulnerability, which is being tracked as CVE-2021-45046<\/a> and is a less severe flaw (with a CVSS rating of 3.7 out of 10) than the first (the highest severity, a 10 out of 10 rating). It affects versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, an emergency fix<\/a> the Apache Software Foundation (ASF) issued late last week to address the initial vulnerability. The ASF said the emergency patch for Log4Shell was \u201cincomplete in certain non-default configurations.\u201d<\/p>\n

The group, which is the project maintainer for Log4j, wrote in advisory<\/a> that the new vulnerability could be leveraged to “craft malicious input data using a\u00a0JNDI\u00a0[Java Naming and Directory Interface] Lookup pattern resulting in a denial-of-service (DoS)<\/a> attack.\u201d<\/p>\n

Casey Ellis, founder and CTO of Bugcrowd, told eSecurity Planet<\/em> that it isn\u2019t surprising that other vulnerabilities were found in Log4j or that fixes for the software could trigger more research and discovery in the wake of a vulnerability as noisy as Log4Shell.<\/p>\n

\u201cIn this case, the initial fix provided was developed in a way that mitigated the exploitable symptom, but didn’t properly address the root cause,\u201d Ellis said while giving plaudits to the Log4j maintainers. \u201cThis also highlights the dangerous dependency open-source users have on libraries which power large portions of the internet but are ultimately written and maintained by unfunded volunteers with limited available time. A huge shoutout to the Log4j maintainers, who I’m sure have had an even busier and more stressful week than those in cybersecurity.\u201d<\/p>\n

More Flaws on the Way?<\/strong><\/h2>\n

Davis McCarthy, principal security researcher at Valtix, told eSecurity Planet<\/em> that the \u201ctechnique of abusing JNDI lookups with user-generated data has been around for years. With the attention CVE-2021-44228 has received, I wouldn\u2019t be surprised if we saw a third CVE related to Log4j2.\u201d<\/p>\n

Amid all this, cybersecurity professionals and tech firms are trying to stem the tide of the attacks. Beyond the emergency patch issued by the ASF, Cybereason this week issued a \u201cvaccine\u201d<\/a> for the vulnerability while the NCC Group rolled out a mitigation to keep Log4j from loading classes remotely over LDAP and CrowdSec unveiled an exploit detection tool.<\/p>\n

The latest to offer a Log4j defense tool is WhiteSource, which is offering a free developer tool, WhiteSource Log4j Detect<\/a>, a CLI tool to help organizations detect and remediate Log4j vulnerabilities CVE-2021-44228 and CVE-2021-445046.<\/p>\n

CISA Steps In<\/strong><\/h2>\n

In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ramping up its messaging<\/a> about Log4Shell. In an updated advisory, the agency ordered that all civilian federal agencies patch the Log4j and three other vulnerabilities by Dec. 24 and placed Log4Shell on its Known Exploited Vulnerabilities<\/a> list.<\/p>\n

CISA also is urging vendors to identify, mitigate and update impacted products by using the latest patch, which protects against both Log4Shell and the subsequent flaw and to inform customers of their products to the vulnerability and to encourage them to prioritize software updates.<\/p>\n

‘this vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious’<\/strong><\/p><\/blockquote>\n

This comes as CISA met with industry leaders Dec. 13 in a phone briefing, urging them to take immediate action. According to CNN<\/a>, CISA Director Jen Easterly reportedly told the executives that \u201cthis vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious. We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents.\u201d<\/p>\n

Taking the steps outlined by CISA won\u2019t be easy, Bugcrowd\u2019s Ellis said.<\/p>\n

\u201cThat’s going to be nearly impossible for most organizations,\u201d he said. \u201cThey need to find Log4j before they can patch it, and many are still stuck on that step. If Log4j is found, it’s likely that it is deeply embedded in existing applications and will require regression testing to ensure that a patch doesn’t break anything else. In short, the time pressure is a good thing for activating those who aren’t taking this seriously, but this will be a difficult timeframe for many to meet.\u201d<\/p>\n

A Cyber Pandemic<\/strong><\/h2>\n

Still, the Check Point researchers warned that unless companies and service providers take immediate action to prevent attacks on their products, the Log4Shell vulnerability \u201cseems that it will stay with us for years to come.\u201d<\/p>\n

\u201cSince the outbreak of the COVID-19 pandemic, society has already gotten used to learning about variants, spread and other terminology that is taken from epidemiology theories,\u201d they wrote. \u201cThe phenomena the world is witnessing with the exploitation of this vulnerability is very much identical. Given the upcoming holiday seasons, when security teams may be slower to implement protective measures, the threat is imminent. This acts precisely like a cyber pandemic \u2013 highly contagious, spreads rapidly and has multiple variants, which force more ways to attack.\u201d<\/p>\n

Further reading: Best Third-Party Risk Management (TPRM) Tools of 2021<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n