Threat actors, including at least one nation-state actor, are attempting to exploit the newly disclosed Log4j flaw to deploy ransomware, remote access Trojans, and Web shells on vulnerable systems. All the while, organizations continue to download versions of the logging tool containing the vulnerability.
This new attack activity represents an escalation of sorts from attackers' initial exploitation attempts, which mainly focused on dropping cryptocurrency mining tools and compromising systems with the goal of adding them to a botnet. Targeted systems include servers, virtual machines, PCs, and IP cameras.
CrowdStrike on Tuesday said it has observed a nation-state actor make moves that suggest an interest in exploiting the flaw.
"CrowdStrike Intelligence has observed state-sponsored actor NEMESIS KITTEN — based out of Iran — newly deploy into a server a class file that could be triggered by Log4j," says Adam Meyers, senior vice president of intelligence at CrowdStrike. "The timing, intent, and capability are consistent with what would be the adversary attempting to exploit Log4j," he adds. Meyers describes NEMESIS KITTEN as an adversary that has previously been engaged in both disruptive and destructive attacks.
The latest developments heighten the urgency for organizations to update to the new version of the Log4j logging framework that the Apache Foundation released Dec. 10, or to apply the mitigations it has recommended, security experts said this week.
"Patching, applying [indicators of compromise], and updating threat detection and response is critical right now for all organizations," says Daniel O’Neill, director of global managed detection and response (MDR) operations at Bitdefender.
At this point, most attack activity involving the Log4j flaw continues to be opportunistic in nature, which O'Neill says is typical of the first phase for a zero-day vulnerability. But organizations can expect to see this flaw exploited in more targeted attacks down the road, O'Neill adds. "It is inevitable that more advanced attackers will seek to establish a foothold now and then exploit this vulnerability at a later stage."
Wide Range of Exploit Activity
Bitdefender said its researchers have observed attackers attempting to exploit the flaw to distribute a new ransomware family called Khonsari. This attack involves the use of a malicious .NET file that, once executed, lists all the drives on a vulnerable system and encrypts them all entirely except for the C: drive, where it encrypts specific folders, including documents, videos, and downloads.
In addition to the ransomware, Bitdefender observed attackers trying to establish a foothold on enterprise networks and deploy a known remote access Trojan called Orcus on vulnerable systems.
"We are also seeing attempts at reverse bash shells," O'Neill says. "This technique is used by attackers to gain a foothold in systems for later exploitation. Deploying a reverse shell on these vulnerable servers is relatively simple to do and most likely be followed with a full-scale attack in the future," he warns.
In addition, several botnets — including one called Muhstik — are actively targeting vulnerable servers, both to deploy backdoors and expand the botnet network, according to Bitdefender. "Monitoring botnet activity is often a good prediction of how dangerous a new [remote code execution] really is and potential scale of attacks," O'Neill says.
The remotely executable Log4j flaw — or Log4Shell, as it's now being called — has sparked widespread alarm because it exists in a near-ubiquitously used logging framework in Java applications. Security experts consider the flaw especially troubling because it is relatively easy to exploit and gives attackers a way to gain complete control of any system running a vulnerable application.
Massive Volume of Downloads
New data analysis by Sonatype shows the logging tool was downloaded some 28.6 million times in the past four months alone from Maven Central, a repository for Java components. In November 2021, Log4j version 2.x ranked in the top 0.002% in popularity by downloads out of a total population of some 7.1 million artifacts in the repository. Some 7,000 open source projects are affected by the vulnerability.
"It's such a common piece of code that it’s even a building block in the Ingenuity helicopter aboard the Mars rover," Sonatype said.
Since the Apache Foundation disclosed the flaw last week, there have been at least 633,000 downloads of fixed versions of Log4j, says Sonatype CTO Brian Fox. The number is growing steadily, he says. Even so, 65% of current downloads of Log4j-core involve the earlier, buggy versions of the logging tool.
"We are still seeing massive downloads of known vulnerable versions," which is not all that unusual, Fox says. "Even with all the attention being given to this issue, so many organizations lack the proper visibility into their full portfolio's usage."
While security teams are scrambling to chase down all the usage of Log4j in their environments, developers, and the software builds they are working on, often continue moving forward. "[That] is the usage that we see when watching total consumption worldwide," Fox says.
For attackers, the vulnerability has presented a near-unprecedented opportunity to try to attack and compromise billions of devices worldwide. Akamai, one of several vendors tracking attack activity, said on Tuesday it has observed multiple variants attempting to exploit the vulnerability at a sustained attack volume of 250,000 exploit requests an hour. More than 50% of the attacks so far have been from known threat actors, and the speed at which new exploit variants are evolving is unprecedented, Akamai said.
Internet of Things security vendor Armis, meanwhile, found 42% of the attack activity is aimed at servers, and more than a quarter of it (27%) targets virtual machines. Other relatively heavily targeted devices include PCs (7%) and imaging IP cameras (12%), which is somewhat unusual, according to Armis.
Research from Armis shows that — so far, at least — devices in operational technology and manufacturing environments such as programmable logic controllers (PLCs) and human machine interface (HMI) devices for managing systems in these environments, have been relatively less targeted. Barely 2% of the vulnerability exploit attempt activity involved manufacturing PLCs, and 1% affected HMIs.
But industrial control systems security vendor Dragos said the vulnerability has left organizations in many industries — including electric power, manufacturing, food and beverage, and transportation — exposed to remote attacks. That's because Log4j is present in many open source repositories that are used in industrial applications. As examples, Dragos pointed to Object Linking and Embedding for Process Control (OPC) Foundation's Unified Architecture (UA) Java Legacy. Additionally, adversaries can exploit the Log4j vulnerability in proprietary supervisory control and data acquisition (SCADA) and energy management systems (EMS) that make use of Java, Dragos warned.
"The Log4j vulnerability has the similar exploit pattern of other zero-days, which is about five to seven days before widespread exploitation by criminal groups," says Sergio Caltagirone, vice president of threat intelligence at Dragos. "Of course, Java hasn't been a popular programming language or platform to cybercriminals for quite a while and therefore they will have a slight learning curve." However, don't expect that fact to deter attackers for too long, he adds, given the number of vulnerable victims.