Microsoft researchers reported that Nation-state actors from China, Iran, North Korea, and Turkey are now abusing the Log4Shell (CVE-2021-44228) in the Log4J library in their campaigns. Some of the groups exploiting the vulnerability are China-linked Hafnium and Iran-linked Phosphorus, the former group is using the flaw to attack virtualization infrastructure, the latter to deploy ransomware.
“MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.” reads the Guidance published by Microsoft.
“For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications. In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.”
Microsoft experts also state that multiple access brokers have begun using the Log4Shell vulnerability to gain initial access to target networks and then sell it to ransomware-as-a-service affiliates.
Most of the traffic observed by Microsoft is associated with mass scanning for vulnerable systems conducted by both threat actors and security researchers. The IT giant reported a rapid uptake of the Log4Shell vulnerability into existing botnets, including Mirai and Tsunami backdoor aimed at bot Linux and Windows systems.
“Microsoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload. This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.” continues Microsoft.
Microsoft also warns of ongoing exploitation on non-Microsoft hosted Minecraft servers and urges Minecraft customers running their own servers to deploy the latest Minecraft server updateto protect their users.
Microsoft also confirmed that the exploitation of the Log4Shell to deploy the Khonsari ransomware, as discussed by Bitdefender recently. Microsoft Defender Antivirus detected a small number of Khonsari-related attacks being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader.
“In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients. We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of javaw.exe to ransom the device.” concludes Microsoft.
(SecurityAffairs – hacking, Log4Shell)