There’s been a lot of Log4j news over the past few days, the most important being the report that the email system at the Belgian Ministry of Defense (Defence) was down for several days because of an attack that apparently took place last week.
The incident in Belgium was the first actual attack on an organization since the Apache Log4j vulnerability became public. In a prepared statement, the ministry said they discovered the attack last Thursday, looked to quarantine the “affected parts,” and would not release any details on the nature of the attack.
Public disclosures of Log4J intrusions have always been a matter of "when, not if," said Rick Holland, vice president of strategy and CISO at Digital Shadows. Since the initial discovery, Holland said there have been three Log4j patches (2.17.0 being the latest), which have lengthened remediation efforts, leaving attack windows open for both nation-state and cybercriminal adversaries.
"The Belgian Defense Ministry's disclosure is just the tip of the iceberg,” Holland said. “Sadly, we will never know the full scope of intrusions leveraging this vulnerability as most organizations don't have breach disclosure requirements. This widely-used, vulnerable Log4j open-source software has created a perfect storm with implications measured in years, not months.”
Casey Ellis, founder and CTO at Bugcrowd, said the criminal use of Log4Shell kicked off almost immediately after it was released, largely owing to the vast attack surface provided by Log4j. The industry quickly got reports of it being paired with coinminers (Kinseng) and botnets (Mirai), followed by pairing of the vulnerability with ransomware and other malicious payloads. Alongside this, we’ve seen considerable R&D work done of improving the exploit itself: Evading web application firewalls and improving the reliability of payload execution.
“So, hearing that the first reports of Log4j being detected in-use against a government agency so soon after the release of the exploit isn’t a huge surprise,” Ellis said. “The Belgian government’s response around 'quarantine' suggests that they build the targeted environments using a defense-in-depth approach, allowing them to selectively isolate network segments and systems to prevent lateral movement from an intrusion.”
In other Log4j news, researchers at Cryptolaemus reported in a tweet yesterday that exploits of the Log4j vulnerability were now infecting Windows devices with the Dridex banking trojan and Linux devices with Meterpreter.
And late last week, the Conti ransomware gang reportedly became the first ransomware group to be exploiting the bug. Researchers at AdvIntel said Conti was making lateral movement into VMware vCenter servers.
Saryu Nayyar, CEO at Gurucul, said there are several ways Log4j can be compromised, and it’s not initially clear which was used. In addition, Nayyar said the Conti ransomware gang has apparently used Log4j to attack the VMware vCenter using a similar attack.
“The Log4j attack vector is going to get worse before it gets better, and represents an easy way into many types of code,” Nayyar said. “Until there are patches for the vulnerabilities, users have no alternative but to closely monitor their code for exploitation. Teams have to try to get in front of this vector as much as possible, and address it by either shutting down logging or by patching as soon as it becomes available.”
Nasser Fattah, North America steering committee chair for Shared Assessments, added that pervasive vulnerabilities like Log4j take the concept of zero-day to hours or minutes for cybercriminals to locate and exploit IT assets in the vast digital landscape. Making matters worse, Fattah said it takes time for vendors to create security patches, as well as time for organizations to deploy the patches.
“Do not wait for a crisis like Log4j to implement/improve IT asset management inventory, which is vitally important to prioritize patch deployment,” Fattah said. “Also at times like this, we have the opportunity to evaluate the effectiveness of our detection capabilities, as well as patch deployment programs.”