Leading cybersecurity companies CrowdStrike and Mandiant confirmed Tuesday that Chinese and Iranian state actors are leveraging the Log4j vulnerability – while other state actors are likely preparing to do the same.
“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time,” said John Hultquist, vice president of intelligence analysis at Mandiant. “In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”
Adam Meyers, CrowdStrike’s senior vice president of intelligence, said the company observed Iran-backed Nemesis Kitten newly deploy into a server class file that could be triggered by Log4j. Meyers said the timing, intent and capability are consistent with what would be the adversary attempting to exploit Log4j. CrowdStrike previously observed Nemesis Kitten attempt both disruptive and destructive attacks, he said.
Mandiant’s Hultquist added that the Iranian actors who they associated with this vulnerability are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain. “They are also tied to more traditional cyber espionage,” he concluded.
The Log4j vulnerability was first reported late last week. Since that time, security researchers have warned that ransomware and other attacks are imminent in the days and weeks ahead.
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, added that Nemesis Kitten operates as one of many Iranian-linked state-associated threat groups that has been using wiper malware and ransomware’s destructive capabilities to cause maximum damages to targeted networks. Morgan said similar attacks linked with Iranian groups include the use of the ZeroCleare malware, which was deployed to target several entities within the Middle East in 2019.
“The use of Log4j as an entry method into susceptible networks is highly predictable, with reporting already indicating that nation-state associated advanced persistent threat (APT) groups tied to Russia, China, Turkey, and Iran are attempting to exploit the bug,” Morgan said. “The current period likely represents the calm before the storm, and it's almost certain that we will observe the Log4Shell exploit used as the entry point on a series of APT-associated campaigns in the coming months.”