Microsoft has warned the security community that the Log4j vulnerabilities still represent a complex and high risk for companies across the globe, as this open-source component is widely used across many suppliers' software and services.
In an update, the company says it had observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities, Microsoft says.
Exploitation attempts and testing were high during the last weeks of December, with many existing attackers adding exploits of Log4j vulnerabilities to their existing malware kits and tactics, from coin miners to hands-on keyboard attacks.
Stefano De Blasi, Cyber Threat Intelligence Analyst at Digital Shadows, a provider of digital risk protection solutions, notes that the latest guidance emphasizes that the Log4Shell vulnerabilities remain an important target for various threat actors with differing objectives.
De Blasi explains that attackers have mainly been observed mass scanning for this vulnerability to identify vulnerable systems. He says, "This indicates that attackers are fully aware of the severity of this bug and potential for widespread exploitation of this set of vulnerabilities. Log4j represents a useful medium for gaining an initial foothold in targeted environments, which can be further compromised later on. Once attackers have gained access to a victim's application through the exploitation of Log4j, they have performed a variety of attacks, such as installing coin miners, performing credential theft and lateral movement, and exfiltrating sensitive data. Surprisingly enough, the number of ransomware attacks did not increase along with discovering this set of vulnerabilities; however, Initial Access Brokers (IABs) interest in this vulnerability has been observed; this includes incorporating Log4Shell in IAB toolkits. As such, these actors are likely establishing a foothold on vulnerable corporate environments, with accesses to these networks likely to be sold at a later stage in cybercriminal forums."
Organizations may not realize that their environments may have been compromised. "Due to the many software and services that are impacted and given the pace of updates, Microsoft expects the vulnerabilities to have a long tail for remediation, requiring ongoing, sustainable vigilance.
Ray Kelly, Fellow at NTT Application Security, provider of application security, says, "The importance of detection cannot be overstated as it is not always obvious which software is utilizing a vulnerable version of the Log4j library. Microsoft has laid out several methods for detecting active exploit attempts utilizing Log4j; however, identifying the vulnerable version before an attack would be ideal. This will be a continuing battle for both consumers and vendors going forward into 2022 in what will need to be a two-pronged approach. Security vendors have been quick on the response for consumers by adding Log4j rules that enable DAST scanners to detect if a website can be exploited with a malicious Log4j web request against a company's web server. At the same time, vendors must ensure that they are not shipping software with the vulnerable version using tools such as SCA."
Jake Williams, Co-Founder and CTO at BreachQuest, incident response provider, believes that any organization asking today what they need to do regarding Log4j almost certainly has an incident on their hands. "Every organization with a security team knows what needs to be done to hunt down Log4j; they just need the resources and political backing to actually get it done," Williams adds. "Being exploited through an internet-facing system running vulnerable Log4j at this point is a leadership failure, not a technical one."
Security teams should employ a two-fold approach when dealing with potential Log4Shell intrusions, De Blasi says. "First, defenders should prioritize identifying and remediating vulnerable appliances with the provided scripts and scanning tools. Second, if an intrusion has been detected, defenders should escalate the investigation and incident response to ensure that compromised environments are remediated effectively," he says.