10 days after news of a critical Log4j library vulnerabilities broke, and numerous updates and patches later, this vulnerability – dubbed Log4Shell (originally CVE-2021-44228) – remains the number one cybersecurity problem currently faced by millions of websites, perhaps even billions, with all hands on deck.
On Friday, Apache rolled out a new patch, version 2.17.0, noting that its “Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.” Also on Friday, CISA issued an emergency directive, requiring federal agencies to mitigate the vulnerabilities by December 23rd.
“The log4j vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly. “If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats.”
Indeed, the library’s ubiquity, the sheer ease of exploiting the vulnerability (basically, replacing one code line), and the fact that many organizations don’t even know whether this code was even employed in their systems – and if so, where – make this a whirlwind race, where competitors (malicious actors on the one hand, cybersecurity experts on the other), are attempting to be the first to locate Log4Shell flaws.
Most, if not all, leading cybersecurity and IT management companies have released an abundance of information on the vulnerability, coupled with detection and patching instructions. But the horses have left the barn. It is now impossible to even assess how many cybercrimes are being committed at any given moment via Log4Shell exploitation.
For example: the Microsoft Threat Intelligence Center has observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey.” This, according to its blog post.
Two of the group observed by Microsoft are PHOSPHORUS, an Iranian-linked threat actor, HAFNIUM, which is linked to china. Check Point also reported activity by the same Iranian-linked group, also known as “Charming Kitten” or ATP35, stating that it had tried to attack seven Israeli government and business targets over 24 hours last week.
Various ransomware groups have also joined the party. Security firms Advanced Intelligence and Recorded Future, for instance, have both discovered action by Conti, one of the most prolific ransomware groups. So has the old ransomware family, Tell YouThePass, among others. New ransomware deployment as has also been observed.