A few days back, we got to know that threat actors are abusing a critical vulnerability—Log4Shell—in Log4j and propagating malware. Now, the attacks have grown more severe as new details emerge.

Diving into details

Apart from the first vulnerability, CVE-2021-44228, two more flaws have emerged.
  • The second vulnerability in Log4j is tracked as CVE-2021-45046 and is related to denial-of-service. It rated 3.7 out of 10 on the CVSS scale and impacts all Log4j versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. 
  • Security firm Praetorian uncovered another vulnerability in version 2.15.0 and can allow for exfiltration of confidential information in specific circumstances. No identifier to the flaw has yet been issued. 

Multiple nation-state actors attack

  • Microsoft noted that nation-state threat actors from China, Turkey, North Korea, and Iran are abusing the CVE-2021-44228 vulnerability.
  • Some of the groups identified include Hafnium (China-linked) and Phosphorus (Iran-linked). While the former is focusing on attacking virtualization infrastructure, the latter is mainly focused on deploying ransomware.
  • Threat actors are mass scanning for vulnerable systems, and a rapid uptake of the flaw into existing botnets, including Mirai. 
  • Bitdefender reported that threat actors are attempting to infect Windows systems with the new Khonsari ransomware, along with Orcus RAT.
  • However, Khonsari was in limited distribution and its server now serves as a generic backdoor.

Why this matters

Researchers suspect that it is probably a threat actor experimenting with deploying Khonsari, but it should be noted that other advanced threat actors are also exploiting the new attack vector. They might use this opportunity to gain entire access to networks and conduct a full fledged large-scale attack. Although Khonsari has been termed as a ‘skid-level ransomware’, it should be assumed that threat actors from every domain are working on ways to monetize the Log4Shell vulnerability.

The bottom line

Cybercriminals are using this window of opportunity to gain access to whatever they can right now capitalize on it later. Users requiring Java 8 or later are recommended to update to Log4j version 2.16.0 and users requiring Java 7, are recommended to update to version 2.12.2 when it becomes available. Defenders are advised to minimize exposure by patching and mitigating every aspect of the organizational network and carefully examining exposed and potentially infected systems.

Cyware Publisher