Alleged state-sponsored hackers target Log4j vulnerability as fears of a worm emerge

SECURITY

Attacks exploiting the Apache Log4j vulnerability are continuing to expand, as multiple state-sponsored advance threat groups are now believed to be using the vulnerability and fears emerge that a worm could exploit the vulnerability.

The Log4j vulnerability emerged last week and has been described by Jen Easterly, the head of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency, as possibll the most serious vulnerability she has seen in her career. It’s a valid call, with Log4j embedded in millions of systems across companies, including some of the biggest names online.

While cybercriminals worldwide continue to exploit the vulnerability, the biggest development in the last 24 hours is the emergence of multiple alleged state-sponsored APTs also exploiting the Log4j vulnerability. The Wall Street Journal, referencing cybersecurity firms and Microsoft Corp., reported that hackers linked to China, Iran, North Korea and Turkey are suspected of exploiting the vulnerability.

The Chinese APT group targeting the Log4j vulnerability is said to be the same group that was linked to widespread attacks on Microsoft Exchange servers earlier this year. The Exchange attack in March, which involved a hacking group Microsoft called “Hafnium,” was focused on stealing data from universities, defense contractors, law firms and infectious-disease researchers.

The Middle Kingdom has denied the claim, saying that it opposes cyberattacks of any kind and that a security team in China was the first to report the Log4j vulnerability.

Yana Blachman, threat intelligence specialist at cybersecurity company Venafi Inc., told SiliconANGLE that the reports that sophisticated state-backed actors and ransomware gangs from China, Iran and North Korea are leveraging the vulnerability is very worrying. “North Korea-backed actors, in particular, are well-versed in exploiting zero-days and might use it to install ransomware and monetize victims for profit, alongside their cyber espionage activities,” Blachman said.

Satnam Narang, staff research engineer at cyber exposure platform startup Tenable Inc., said it’s not surprising that several days into the discovery of Log4Shell, we’re seeing reports of state-sponsored groups leveraging Log4Shell as part of its attack campaign.

As reports of those exploiting the vulnerability continue to flood in, more may be yet to come. “Cybercriminals from all over the world are seeking to exploit this fundamental part of the software supply chain,” said James Carder, chief security officer of security intelligence firm LogRhythm Inc. “Anything with a logging mechanism generally leverages this open-source library, so this vulnerability likely impacts millions of devices and thousands of different products across critical infrastructure, financial institutions, healthcare organizations, and other industries.”

Carder said his firm has tested the vulnerability and confirmed that attackers can leverage it to gain remote access and execute code remotely on affected platforms. “Within a few minutes of its release, we began seeing attacks and scans against infrastructure looking for this vulnerability,” he said. “Cybercriminals were building their lists after seeing who was vulnerable and then preparing to come in with a second-stage attack. We have seen the attacks morph over time to be used by botnets as cybercriminals continue to search for compromised organizations.”

If things were not already bad enough with the Log4j vulnerability, a worm is a strong possibility. A worm in terms of hacking and cybersecurity is a type of malware that spreads copies of itself from computer to computer. A worm that exploits Log4j would be self-replicated across any device using Log4j and they vary between physical computers through to IP cameras, multimedia players, network access points, attendance systems and more.

“A wormable exploit is definitely a valid scenario here — we already see cases where the Log4Shell vulnerability is used by ‘common’ cybercrime-related operations in order to spread ransomware and other common mischief,” Yaniv Balmas, vice president of security research at application programming interface company Salt Security Inc., told SiliconANGLE. “Judging from past experience, it is very likely someone will decide to embed this vulnerability into a worm which will be almost impossible to stop once reaches a critical mass. You must remember that we are still seeing artifacts from similar worms that were launched years ago, even today.”

Jake Williams, co-founder and chief technology officer at incident response company BreachQuest Inc., agreed that there’s “no question that someone will create a worm that abuses the Log4Shell vulnerabilities.”

Williams added that it won’t be like WannaCry, NotPetya, or many previous worms that abuse system-level processes. “The vast majority of servers vulnerable to Log4Shell will be running the vulnerable process with very limited permissions,” Williams explained. “In most cases, a worm exploiting Log4Shell would probably not be able to achieve persistence across process restarts. Additionally, because the process probably doesn’t have filesystem permissions, we should be less worried about ransomware payloads.”

Tim Wade, technical director of the CTO Team at artificial intelligence firm Vectra AI Inc. said that although worms may move and spread at scale, he believes this is a vulnerability that is still mostly at risk from attack by creative and adaptive human adversaries. He said they may leave less fingerprints behind them as they undertake less overt attacks, such as extracting cryptographic secrets or API keys for present or future campaigns.

“This isn’t to say that a worm enabling further immediate, mass exploitation is not problematic – just that some of these less direct attacks may introduce more lasting damage when they go undetected for great lengths of time,” Williams added.

Image: Apache Software Foundation