Chinese, Iranian threat groups said to exploit Log4j

December 14, 2021

U.S. President Joe Biden participates in a virtual meeting with Chinese President Xi Jinping at the White House on Nov. 15, 2021, in Washington,. A hacking group tied to the Chinese government has exploited zero-day vulnerabilities in internet facing web applications — including Log4j — to compromise the networks of at least six U.S. state governme...

U.S. President Joe Biden participates in a virtual meeting with Chinese President Xi Jinping at the Roosevelt Room of the White House November 15, 2021 in Washington, DC. (Photo by Alex Wong/Getty Images)

Leading cybersecurity companies CrowdStrike and Mandiant confirmed Tuesday that Chinese and Iranian state actors are leveraging the Log4j vulnerability – while other state actors are likely preparing to do the same.

“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time,” said John Hultquist, vice president of intelligence analysis at Mandiant. “In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”

Adam Meyers, CrowdStrike’s senior vice president of intelligence, said the company observed Iran-backed Nemesis Kitten newly deploy into a server class file that could be triggered by Log4j. Meyers said the timing, intent and capability are consistent with what would be the adversary attempting to exploit Log4j. CrowdStrike previously observed Nemesis Kitten attempt both disruptive and destructive attacks, he said.

Mandiant’s Hultquist added that the Iranian actors who they associated with this vulnerability are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain. “They are also tied to more traditional cyber espionage,” he concluded.

The Log4j vulnerability was first reported late last week. Since that time, security researchers have warned that ransomware and other attacks are imminent in the days and weeks ahead.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, added that Nemesis Kitten operates as one of many Iranian-linked state-associated threat groups that has been using wiper malware and ransomware’s destructive capabilities to cause maximum damages to targeted networks. Morgan said similar attacks linked with Iranian groups include the use of the ZeroCleare malware, which was deployed to target several entities within the Middle East in 2019.

“The use of Log4j as an entry method into susceptible networks is highly predictable, with reporting already indicating that nation-state associated advanced persistent threat (APT) groups tied to Russia, China, Turkey, and Iran are attempting to exploit the bug,” Morgan said. “The current period likely represents the calm before the storm, and it's almost certain that we will observe the Log4Shell exploit used as the entry point on a series of APT-associated campaigns in the coming months.”