- Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said the agency has not yet seen the Log4j vulnerability used for significant intrusions but cautioned that sophisticated threat actors may be lying in wait for cybersecurity defenders to be caught off guard during a lower level of awareness.
- Threat actors have used the vulnerability to install and sell cryptomining software on victims' computers and to potentially launch future botnet attacks. CISA cannot independently confirm research showing nation-state threat actors developing attacks based on Log4Shell, Easterly said during a presser Monday.
- Microsoft security researchers identified a China-based threat actor, tracked as DEV-0401, exploiting the Log4j vulnerability in systems using VMware Horizon to deploy NightSky ransomware, researchers said in an updated blog.
CISA officials expect to see more aggressive activity in the future, though potential threat actors may have a lower profile in the short term amid the heightened industry focus on Log4j.
"This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert," Easterly said.
Easterly referenced the 2017 Equifax breach, which was revealed in September of that year but was based on an open source vulnerability discovered in March. During the Equifax attack, threat actors remained undetected inside the company's systems for months, which CISA officials argue could be the reason why no major Log4j attacks have taken place today.
The new disclosures by Microsoft may lead officials to reassess the immediate threat level. Microsoft identified threat activity as early as Jan. 4 and attackers are using command-and-control servers that spoof legitimate domains. CISA said earlier that it was aware of the NHS research about unknown actors targeting VMware Horizon.
Researchers from NHS Digital in the U.K. warned last week that unknown threat actors were targeting Log4Shell vulnerabilities in VMware Horizon to install webshells, opening up potential victims to attack, including ransomware, data exfiltration or other scenarios.
Microsoft, Mandiant, CrowdStrike and other security researchers have over the past month reported nation-state activity by multiple adversaries, including China, Iran and others.
CISA officials remain focused on driving remediation of vulnerable assets as well as the adoption of strong security practices.
Companies have been slow to track down vulnerabilities embedded in software and slow to update security patches, leaving organizations that often depend on third-party vendor relationships vulnerable to malicious attacks.
"It is absolutely critical that organizations know what software is in their environment so they can properly patch and keep up to date," said Chuck Everette, director of cybersecurity advocacy at Deep Instinct. "In 2021, there have been multiple vulnerabilities reported that organizations have been slow to patch, let alone identify running in their environments."