- As U.S. industries and government agencies restart operations after the winter holiday break, security researchers are warning the impacts of the Log4j vulnerability will continue to leave organizations open to potential threats in the coming weeks and months.
- "Exploitation attempts and scanning remained high during the last weeks of December," Microsoft said in an updated blogpost. Attackers have added exploits to existing malware kits and tactics, ranging from coin miners to hands-on-keyboard attacks.
- The Apache Software Foundation released version 2.17.1 of Log4j last week, the latest in a series of updates since the vulnerability was disclosed in December. The newly released fix addresses the risk of remote code execution when an attacker with certain permissions can create a malicious configuration using a JDBC Appender, according to Apache.
Security researchers say the longer term effects of Log4j are just beginning to play out across the industry.
"As we move into 2022 we are seeing the ripples on the effects of the Log4j critical vulnerability being the new preferred threat vector for cybercriminals," said Chuck Everette, director of cybersecurity advocacy at Deep Instinct.
Log4j downloads on Maven Central surpassed 8 million since the vulnerability was first disclosed, according to Brian Fox, CTO at Sonatype. The latest release 2.17.1 saw the lowest adoption rate of all the releases, as a number of security researchers raised questions about whether the CVE-2021-44832, should have been treated as a full vulnerability.
Researchers from Checkmarx said the vulnerability created the potential of arbitrary code execution, after a dispute arose over prior claims.
Most federal agencies have patched or used alternate mitigation methods to resolve the potential exposure to Log4j issues, according to the Cybersecurity and Infrastructure Security Agency (CISA). The agencies had a Christmas Eve deadline to take remediation steps.
"Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support 'solution stacks' that accept data input from the internet," a CISA spokesperson said.
In mid-December, researchers from Mandiant and Microsoft warned that nation-state actors were attempting to use the Log4j vulnerability to launch attacks against potential targets.
CrowdStrike disrupted an attack against a large academic institution by China-based threat actor Aquatic Panda, according to a blogpost from the security firm. The attack was detected amid suspicious activity involving a VMware Horizon Tomcat web server. VMware issued guidance in December regarding potential Log4j vulnerabilities connected to VMware Horizon.
"The security of our customers is a top priority at VMware as we respond to the industry-wide Apache Software Foundation Log4j vulnerability," a VMware spokesman said in a statement. The company issued a security advisory on Dec. 10, which includes regular updates and fixes and the firm is encouraging customers to subscribe to its security advisories mailing list.
CrowdStrike researchers declined to provide any specific geographic information or other details on the attacked organization.
"While we cannot directly state that we are seeing broader use of this particular vulnerability by espionage actors, its viability as an access method is already proven," Param Singh, VP of Falcon OverWatch at Crowdstrike told Cybersecurity Dive via email.
Aquatic Panda is connected to industrial espionage and intelligence collection and linked to activity starting in May 2020, according to CrowdStrike. Prior targets have mainly involved telecommunications, technology and government entities and the threat actor has relied heavily on Cobalt Strike to launch attacks, including the use of a downloader known as FishMaster, according to CrowdStrike.
VMware officials noted that any internet-connected service that isn't yet protected against Log4j is vulnerable, and recommended immediate patching.