Hackers continue to exploit Apache Log4j Security Flaws which was discovered on December 17, 2021. CISA issued Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability directing federal civilian executive branch agencies to address Log4j vulnerabilities—most notably, CVE-2021-44228. The Emergency Directive requires agencies to implement additional mitigation measures for vulnerable products where patches are not currently available and requires agencies to patch vulnerable internet-facing assets immediately, thereby superseding the broader deadline in BOD 22-01 for internet-facing technologies.
Hackers including Chinese state-backed groups have launched more than 840,000 attacks on companies globally since last Friday, according to researchers, through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J.
What is Log4j vulnerability?
Log4j is a piece of open-source code enabling system administrators to handle and record errors. However, a disastrous vulnerability in the protocol has made masses of systems susceptible to cyberattacks.
The zero-day vulnerability termed ‘Log4Shell’ takes advantage of Log4j’s allowing requests to arbitrary LDAP (Lightweight Directory Access Protocol) and JNDI (Java Naming and Directory Interface) servers, allowing attackers to execute arbitrary Java code on a server or other computer or leak sensitive information.
In other words, hackers can exploit Log4Shell to install malicious software or enable data theft. Because of Log4j’s omnipresence, the threat is global and massive. . Apache products that are affected by Log4j.
Hackers exploit Log4j Security Flaws New reported Hacks.
On August 27, 2022, Iranian Hackers Exploits Unpatched Log4j 2 of an Israeli Organizations
"After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack,"
September 9, 2022, Lazarus Exploits Log4j 2 of Energy Companies in US, Canada, & Japan
Threat intelligence company Cisco Talos says the cybercriminals group targeted certain energy providers in the three countries between February and July 2022. Lazarus used the Log4j vulnerability — reported last year — to gain access to the servers and deployed Vsingle, Yamabot malware, alongside a new entrant — dubbed MagicRat — to establish a seamless connection.
The research published by Cisco Talos on Thursday states that the MagicRat malware attributed to Lazarus is a remote access trojan used for reconnaissance and stealing credentials.
Vsingle is used to execute arbitrary code from remote networks and can be used to download plugins. According to the researchers, Lazarus has been using it for reconnaissance, manual backdooring, and exfiltration. The other one, Yamabot, is a Golang-based malware that uses HTTP requests to communicate with command-and-control servers.
Log4j Remediation
Remediation is a critical step to ensure that attackers do not exploit vulnerable Log4 assets in your environment as most organizations have multiple Java-based applications in their environment. Most Java-based applications use Log4J; the scope of this problem is significant.
Wait for the Vendor to Release a Log4j Patch
Many of the applications installed in your environment are developed by vendors. As with any application, these third-party applications may be vulnerable to Log4Shell. Most vendors will test their application(s) to ensure that they are not weak for Log4Shell and, if they are, will release a patch to fix the vulnerability. The CyberSecOp Red team can help you identify Log4J vulnerabilities so you can plan effectively and we will working the vendors to remediate them.
During war time, critical vulnerabilities can arise out of nowhere. It can be stressful and time-consuming to deploy emergency patches, and security teams often lack the resources and visibility needed to quickly identify, triage, and resolve vulnerabilities in a timely manner.
