Dive Brief:

• Malicious actors have made more than 1.8 million attempts to exploit the Log4j vulnerability, according to Check Point Software, targeting almost half of the corporate networks that the company tracks worldwide. 
• Financially motivated threat actors are attempting to leverage the vulnerability to target potential victims, according to Mandiant. While cryptominers were the first to try to exploit Log4j on a mass scale, other financially motivated attackers are expected to launch data theft, ransomware and extortion. 
• Threat actors are exploiting the Log4j vulnerability in Minecraft: Java Edition and customers running their own servers need to patch right away, Microsoft said. Customers running Minecraft servers that are not hosted by Microsoft are facing attacks from the Khonsari ransomware, a new family that was reported in recent days.

Dive Insight:

While Minecraft is not usually connected to the enterprise, there are PowerShell-based reverse shells malicious actors are dropping into compromised Minecraft systems that give an attacker full access. Attackers are then running Mimikatz, an open source credential dumping tool, to steal credentials, a technique often used to attack enterprise systems. 

While no follow-on activity was detected, Microsoft said attackers may be gathering access to use in future attacks.  

Mandiant has observed nation-state activity from China and Iran, and additional state actors will likely attempt to exploit the vulnerability. 

Microsoft earlier this week warned of nation-state activity using Log4j from China, Iran, North Korea and Turkey. An Iranian actor called Phosphorus has been observed deploying ransomware and obtaining and modifying Log4j, the company said. Meanwhile Hafnium, the China-based threat actor linked to the Microsoft Exchange attacks earlier this year, has been seen using Log4j to launch attacks against virtualization infrastructure, according to the blog. 

The Biden administration in July accused China of backing malicious cyberattacks against U.S. targets, including using contract hackers to launch ransomware, but did not announce any specific sanctions. The National Security Agency, the FBI and CISA also issued warnings about Chinese state actors looking to exploit vulnerabilities in Apache, Pulse Secure, Microsoft and F5 Big IP. 

Multiple groups of access brokers are also using Log4j to gain initial access to targeted networks, trying to sell access to groups affiliated with ransomware as a service, Microsoft said. The access brokers are attempting to exploit Windows and Linux systems. 

Companies need to take proactive steps to mitigate against the potential impact of Log4j, according to Gartner. Remote employees need to update their personal devices and routers, as they are seen as particularly vulnerable targets. 

CISOs need to invoke severe incident response measures, including briefings for top officials inside the organization, including the CIO, CEO and board of directors. 

"Gartner's advice is that in the event of a choice between availability and downtime to safeguard customer funds and critical data, then downtime may be the reluctantly preferred choice," Jonathan Care, senior research director at Gartner said via email. 

IT supply chains, remote working environments and enterprise IT architectures are all "significant points of weakness requiring a Herculean task of examination and remediation," Care said.