Nation-state actors from China, Iran, North Korea, and Turkey join the Log4Shell exploitation party
The severe Log4j vulnerability (referred to as Log4Shell) is being exploited by malicious actors worldwide, including nation-state sponsored cyber groups.
Researchers continue to monitor threats taking advantage of the Log4j 2 vulnerability. The vulnerability affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. Log4j 2 is a Java-based logging library with over 400,000 downloads from its GitHub project. It is widely used in business system development, as well as included in various open-source libraries.
The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft, and more.
The Microsoft Threat Intelligence Center (MSTIC) has observed Log4Shell being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey.
“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” the company said in it’s latest update.
For example, MSTIC has observed PHOSPHORUS, an Iranian threat actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit.
“We assess that PHOSPHORUS has operationalized these modifications,” Microsoft said.
HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
As Check Point researchers pointed out, exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks.
The vulnerability, it seems, has been in the wild for at least nine days before the public disclosure. Cloudflare's data suggests that massive exploitation started after the news of Log4Shell broke out. Many experts predict that the speed at which attackers harness and use the vulnerability will only intensify.
More from CyberNews:
Subscribe to our newsletter