Log4j threat expands as second vulnerability emerges and nation states pounce

Dive Brief:

The threat from Apache Log4j has expanded in recent days as a second vulnerability emerged and additional nation-state actors increased threat activity against private sector and government targets.
The Cybersecurity and Infrastructure Security Agency urged organizations to take immediate steps to mitigate potential exposure to the compromise, speaking on a conference call Tuesday. The vulnerability allows deep access into target networks, allowing a threat actor to exfiltrate data or engage in other harmful attacks, according to Eric Goldstein, executive assistant director for cybersecurity of CISA.
Early stage attacks using ransomware have already begun, however it is not immediately clear whether any of them have successfully accessed a network, security researchers said. Threat actors have attempted to deploy a novel strain called Khonsari, which is considered a relatively basic form of ransomware, using backdoors and remote shells, according to Bitdefender.

Dive Insight:

Apache Log4j is seen as one of the most serious vulnerabilities in the last decade — upwards of 3 billion devices use Java, according to Forrester Analyst Allie Mellen. The threat ranges from consumer gaming systems to IoT devices and sophisticated enterprise networks.

The products of at least 25 high-profile enterprise technology vendors are affected, including Amazon, Microsoft, Cisco, VMware and Red Hat, according to a CISA list initially populated by security researcher Kevin Beaumont. Google too is closely following the vulnerability, investigating the potential impact to Google products and services, the company said in a statement. The company has thus found the vulnerability in its Migrate for Compute Engine and Google Cloud for VMware Engine services.

Log4j poses a severe risk to organizations as hundreds of millions of devices may already be at risk from threat actors attempting remote code execution, CISA officials said.

CISA updated a recent security directive that makes it mandatory for federal agencies to patch by Dec. 24, and has instructed federal agencies to take additional security measures.

The danger lies in part from the fact that threat actors can access a network with little to no engineering background and can simply write a line of code to gain access. While the threat activity thus far is limited, officials and security researchers expect the level of sophistication to quickly ramp up in sophistication and targeting.

"It has largely been low-level activity such as cryptominers, but we do expect that adversaries of all sorts will utilize this vulnerability to achieve their strategic goals," Goldstein said.

Researchers from Mandiant have detected nation-state activity from two long-time adversaries of the U.S., and expect to see other state actors to quickly jump on board.

"We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well, or preparing to," John Hultquist, VP, intelligence analysis at Mandiant, said in a statement. "We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time."

The threat actors may have already established a wish list of targets to work from, Hultquist said. In some other cases, targets may be selected after broad targeting.

The Iranian threat actors associated with this vulnerability have been aggressive, taking part in ransomware operations designed for disruption not financial gain. The Iranian actors are also tied to more traditional cyber operations.

In addition to China and Iran, Microsoft has tracked threat activity stemming from North Korea and Turkey, the company said. "This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor's objectives."