Log4j Cyber Security Vulnerability Sends Shock Waves Around the World

Log4J Flaw

Khonsari ransomware deployed as payload post-exploitation

Bitdefender and other security experts have stated that the Khonsari ransomware family is now being delivered as payload post-exploitation, as reported by Microsoft. We’ve seen a small number of instances of this malware being deployed from hacked Minecraft clients connected to modified Minecraft servers running an insecure version of Log4j 2 utilizing a third-party Minecraft.

Nation-state actors among the attackers

According to Microsoft Security Intelligence (MSTIC), nation-state actors are actively taking advantage of the newly disclosed zero-day vulnerability. In a blog posted, MSTIC has stated that they have observed attacks originating from China, Iran, North Korea, and Turkey. The activity ranges from experimentation, in-the-wild payload deployment, and exploitation against targets to achieve their objectives.

MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. MSTIC assess that PHOSPHORUS has operationalized these modifications.

In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.

The Cyber Security world is experiencing one of the worst computer vulnerabilities ever seen. It is sending shock waves worldwide in the IT sector as more IT professionals sound the alarm over the growing number of servers being exploited.

The Log4j vulnerability was first disclosed last Thursday, and hackers were quick to begin exploitation of the flaw, which has resulted in many servers being taken over for ransomware demands.

Cyber Security experts have hinted that the full extent of the Log4j vulnerability and damage that may have been caused might not be known for weeks to come.

What is Log4j, and what is the security flaw?

The Log4j utility is an open-source program used to log activity on computers. It has become ubiquitous in everything from enterprise apps, home internet-connected devices, cloud services, and games. This means enterprises, small businesses, and home users can become victims of this flaw.

Log4j is used to keep track of software events, errors, and other information, also known as logs. Because Log4j is a freely available open-source tool, it is quick and easy for software developers to add to their projects instead of developing their own logging tool.

The Log4j flaw allows an attacker to trick Log4j into running malicious code by making it store a log entry that includes a specific set of text. When the new log entry is created, the malicious text can cause a remote code execution that will allow an attacker to take over that computer or device.

Remote code execution attacks are the most dangerous of all as they allow an attacker to ‘own’ a machine, and once owned, they can use that machine for any purpose they wish.

Rapid exploitation in progress

The past few days have seen a significant increase in scanning for vulnerable hosts and exploitation attempts. The ease with which the exploit can be undertaken means that the attack is open for a wide range of hackers of all skills levels.

Some of the world’s largest companies have been confirmed to be affected by the flaw including, Apple, Amazon, Twitter, Steam, Tesla, CloudFlare, and many more.

Cyber Security firm, Check Point, confirms that they have seen over 100 exploit attempts every minute, in which attackers have attempted to exploit the flaw on over 40% of the world’s network.

Apache releases a Patch

Apache assigned a vulnerability rating of ‘critical’ to this flaw and quickly published a patch for it. The race is now on for IT vendors to search their systems and discover if they are using Log4j and install the required patches.

However, because the Log4j tool has become ubiquitous, many servers and devices may be unattended and not be patched in time. This is especially so for end-of-life software that will unlikely receive an update to patch the vulnerability.

This is a developing story, and we will bring updates to you as they happen.

Scroll to Top