Skip to main content
close search
site logo
Dive Brief

Log4j threat activity limited, but CISA says actors lay in wait

Published Jan. 11, 2022
David Jones's headshot
Reporter
Kevin Dietsch / Staff via Getty Images

Dive Brief:

  • Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said the agency has not yet seen the Log4j vulnerability used for significant intrusions but cautioned that sophisticated threat actors may be lying in wait for cybersecurity defenders to be caught off guard during a lower level of awareness.
  • Threat actors have used the vulnerability to install and sell cryptomining software on victims' computers and to potentially launch future botnet attacks. CISA cannot independently confirm research showing nation-state threat actors developing attacks based on Log4Shell, Easterly said during a presser Monday. 
  • Microsoft security researchers identified a China-based threat actor, tracked as DEV-0401, exploiting the Log4j vulnerability in systems using VMware Horizon to deploy NightSky ransomware, researchers said in an updated blog.

Dive Insight:

CISA officials expect to see more aggressive activity in the future, though potential threat actors may have a lower profile in the short term amid the heightened industry focus on Log4j. 

"This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert," Easterly said. 

Easterly referenced the 2017 Equifax breach, which was revealed in September of that year but was based on an open source vulnerability discovered in March. During the Equifax attack, threat actors remained undetected inside the company's systems for months, which CISA officials argue could be the reason why no major Log4j attacks have taken place today.

The new disclosures by Microsoft may lead officials to reassess the immediate threat level. Microsoft identified threat activity as early as Jan. 4 and attackers are using command-and-control servers that spoof legitimate domains. CISA said earlier that it was aware of the NHS research about unknown actors targeting VMware Horizon.

Researchers from NHS Digital in the U.K. warned last week that unknown threat actors were targeting Log4Shell vulnerabilities in VMware Horizon to install webshells, opening up potential victims to attack, including ransomware, data exfiltration or other scenarios. 

Microsoft, Mandiant, CrowdStrike and other security researchers have over the past month reported nation-state activity by multiple adversaries, including China, Iran and others.

CISA officials remain focused on driving remediation of vulnerable assets as well as the adoption of strong security practices.  

Companies have been slow to track down vulnerabilities embedded in software and slow to update security patches, leaving organizations that often depend on third-party vendor relationships vulnerable to malicious attacks. 

"It is absolutely critical that organizations know what software is in their environment so they can properly patch and keep up to date," said Chuck Everette, director of cybersecurity advocacy at Deep Instinct. "In 2021, there have been multiple vulnerabilities reported that organizations have been slow to patch, let alone identify running in their environments."

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell