Data from 2021 highlights a significant increase in corporate network-focused cyber attacks as compared with figures from 2020. Cyber security researchers attribute some of the increases, which were concentrated towards the end of the year, to the Log4j vulnerability, which surfaced in December.
Since then, the world has watched as a series of advanced persistent threat groups continue to exploit serious vulnerabilities in the Apache Log4j software. In some cases, organizations may not be aware of the fact that their environments are compromised.
The Cybersecurity and Infrastructure Security Agency (CISA) warns that, although “no significant intrusions” have occurred to-date, hackers may be waiting to pull the trigger.
Experts have observed a series of nation state-backed threat actors leveraging Log4j vulnerabilities for their own pursuits. Here’s what we know about who’s behind the nefarious activities and what’s happening right now.
Phosphorus or APT35
The hacking group known as Phosphorous or APT35 is using the Log4j vulnerability to deploy malware. The group is distributing a new modular PowerShell toolkit.
This advanced threat group is one of several state-backed hacking entities known to have been developing tools and techniques to exploit public-facing Java applications that rely on unpatched Log4j-based code.
Microsoft has observed this group’s increasing use of ransomware in attacks. According to further professional analysis by Check Point researchers, APT35’s Log4j work came across as amateurish and “obviously rushed,” using a basic publicly available JNDI exploit kit. In turn, this made attacks easy to detect and attribute.
Night Sky ransomware
An unknown group of hackers is distributing the Night Sky crypto-locking malware, which involves a ransom demand and double extortion techniques. One Night Sky victim received a ransom demand of $800,000. In exchange for payment, attackers agreed to provide a decryptor and to withhold stolen data from public view.
As Log4j challenges evolve, vendors will continue to identify and patch vulnerable systems and software, after which customers and users will need to test the updates and release them within their own environments.
The challenge is compounded by the fact that a large number of vulnerable products and services are embedded within other products and services. “By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment,” says Microsoft.
On account of the numerous software elements and services that are impacted and the pace of updates, attention to Log4j issues may require ongoing, sustained vigilance.
White House meeting
Today, the White House meets with representatives from major players in the tech space to discuss software security and open source tools. Meeting attendees include leaders of companies like the Apache Software Foundation, Oracle, IBM, Linux, Apple, Google and Facebook.
“Building on the Log4j incident, the objective of this meeting is to facilitate an important discussion to improve the security of open source software — and to brainstorm how new collaboration could rapidly drive improvements,” stated a senior Biden administration official ahead of the meeting.
Despite the fact that Log4j is several months old at this point, the Log4j threat remains prevalent. Unpatched systems are still out there. A significant number of Dev teams are still downloading vulnerable libraries. One repository that maintains open-source code has clocked more than 7,500 of these downloads per hour.
This is concerning in light of a recently discovered botnet that uses the Log4j vulnerability to infect new botnet hosts. Researchers first observed this botnet, known as B1txor20, in early February, when the first sample became trapped via one of their honeypot systems.
Security researchers have determined that the majority of exploitation attempts associated with Log4j (since the January timeframe) have come from US-based IP addresses, followed by those within Japan, central Europe and Russia.
The easiest way to ensure that botnet attacks don’t destroy your enterprise is to update Log4j to version 2.17.1 or later and to generally keep web applications up-to-date. While the majority of Log4j threat actors are likely to disappear into the ether as we move further away from the initial Log4j discovery, some will continue to target vulnerable Log4j libraries.
In some cases, high-value organizations that proved lucrative for ransomware attacks have applied the requisite security patches and updates, but have neglected older operating systems that the company continues to rely on. These systems can become liabilities and key targets for botnet builders.
To get in-depth insights into Log4j, mitigation measures and corresponding security solutions, click here and here. Lastly, please join us at the premiere cyber security event of the year, CPX 360 2022. Register here.