As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others

Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.

Up until now, it was largely accepted that mere private miscreants, criminal gangs, and security researchers were mostly scanning the internet for systems and services vulnerable to CVE-2021-44228 in the open-source logging library widely used by Java applications. Network observers say they've seen tens of thousands of attempts per minute. Successful exploitation may result in the installation of ransomware and cryptocurrency miners, the theft of cloud credentials and other information, and so on.

On Tuesday, the Microsoft Threat Intelligence Center (MSTIC) pointed the finger at specific countries, saying they are using the security bug to spread extortionware, test exploit code, and infiltrate networks:

Phosphorous is the Iranian group accused of trying to infiltrate online accounts of those involved in the US presidential elections last year. Hafnium is the Chinese team said to have exploited holes in Microsoft Exchange Server around the start of this year. Of course, Western agencies wouldn't dream of abusing this hole in the wild.

Earlier this week, Kaspersky Lab and Bitdefender said it had seen attempts to attack Log4j deployments coming from Russian IP addresses, though we note it's not terribly difficult to route connections through nodes in the land of President Putin. Mandiant also said it has seen exploitation attempts from black-hat hackers linked to Beijing and Tehran.

Yes, attribution is hard and all that. But it's interesting this is coming to light as the US government's Cybersecurity and Infrastructure Security Agency tells all federal civilian agencies to take care of CVE-2021-44228 by December 24, 2021. That's quite a tight deadline. Version 2.16 of Log4j 2.x is available that disables the vulnerable functionality by default and removes the insecure message lookup code completely.

The programming blunder has been added to CISA's known exploited vulnerabilities catalog.

This security flaw is one of the worst, if not the worst, in a decade or more: there are going to be long-term repercussions as systems thought to be free of the bug turn out to be vulnerable and are exploited months or years later.

Organizations need to not only locate installations of services and applications that deep down use Log4j and patch them, but also investigate whether or not they were compromised, what information was at risk if that happened, and perhaps even just assume they were compromised and work from there.

CISA has a bunch of useful resources here on GitHub, including a big list of affected software and products and related advisories – from Amazon cloud services to VMware tools.

“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library," CISA Director Jen Easterly said over the weekend.

"This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.

"Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates."

So far, CISA says it is not aware of any US federal government agencies suffering a security breach from Log4j. ®