Government organizations and the private sector are responding to the disclosure of a critical vulnerability affecting the widely used Log4j logging utility, as exploitation attempts are on the rise.
Apache Log4j is a Java-based logging tool that is included in various open source libraries, and is directly embedded in many popular software applications.
It came to light recently that the cross-platform library is affected by a critical remote code execution vulnerability — tracked as CVE-2021-44228 and dubbed Log4Shell — that can be exploited to gain complete access to the targeted system by getting the affected application to log a specially crafted string.
Log4Shell was reported to Log4j developers by the Alibaba cloud security team on November 24 and a patch was made available on December 6 with the release of version 2.15.0. Proof-of-concept (PoC) exploits were developed shortly after.
The list of affected companies and software includes Apple, Tencent, Twitter, Baidu, Steam, Minecraft, Cloudflare, Amazon, Tesla, Palo Alto Networks, IBM, Pulse Secure, Ghidra, ElasticSearch, Apache, Google, Webex, LinkedIn, Cisco and VMware. The list is being regularly updated.
Attacks exploiting Log4Shell
Cloudflare reported seeing evidence of exploitation on December 1, but mass exploitation began only after the flaw was publicly disclosed. While most of the activity observed until now has focused on the identification of vulnerable systems exposed to the internet, there has been a significant increase in actual attacks exploiting Log4Shell.
The SANS Institute reported seeing the zero-day vulnerability being exploited in the wild to deliver cryptocurrency miners.
Cisco’s Talos research and intelligence unit has seen exploitation attempts by APT groups, as well as botnets such as Mirai. The Netlab unit at Chinese cybersecurity firm Qihoo 360 reported seeing Log4Shell attacks involving the Muhstik botnet.
Microsoft has observed attempts to install cryptocurrency miners and Cobalt Strike payloads that can be used for data theft and lateral movement.
There is also evidence of exploitation against Apple’s iCloud service and Minecraft servers.
Threat intelligence company GreyNoise, which started seeing exploitation attempts on December 9, shortly after weaponized PoC exploits became available, has witnessed exploitation attempts coming from hundreds of IP addresses.
Bitdefender said most of the attacks seen by its honeypot network came from Russian IPs, and Lacework reported that much of the scanning it has seen originated from Tor nodes.
Response from government agencies, vendors and cybersecurity firms
Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), on Friday issued a statement pointing out that the vulnerability has been added to the agency’s catalog of known exploited flaws, which compels federal civilian agencies to immediately address it.
The Canadian government is also taking the threat seriously. The Canada Revenue Agency has decided to take its systems offline as a precaution — it claims that it has not detected any actual breach resulting from this vulnerability.
Microsoft has released blog posts with mitigation guidance for Azure and other customers.
VMware has also released an advisory to inform customers that many of its products are affected. The virtualization giant has started releasing patches and mitigations, and warned that it has confirmed exploitation attempts in the wild.
Cisco is investigating the impact of CVE-2021-44228 on its products and many have already been confirmed to be affected.
The developers of the enterprise management software Jamf Pro have also confirmed being impacted and announced the availability of patches and mitigations. Researchers at Randori have confirmed that Jamf Pro can be targeted and they believe that widespread exploitation is imminent.
Managed detection and response company Huntress, which has released a tool designed to help organizations test if their applications are affected by CVE-2021-44228, pointed out that MSPs such as Auvik, ConnectWise and N-able have confirmed being impacted.
Cybersecurity companies such as Qualys, Cloudflare, CrowdStrike, ShiftLeft, Bishop Fox, Sophos, NCC Group, IBM Security, SOC Prime, LunaSec, Forescout, F-Secure, Tenable, Malwarebytes and Cybereason have released blog posts to inform customers about the attacks, and how their products can detect exploitation attempts or vulnerable versions of the Log4j library.