Data from 2021 highlights a significant increase in corporate network-focused cyber attacks as compared with figures from 2020. Cyber security researchers attribute some of the increases, which were concentrated towards the end of the year, to the Log4j vulnerability, which surfaced in December.
Since then, the world has watched as a series of advanced persistent threat groups continue to exploit serious vulnerabilities in the Apache Log4j software. In some cases, organizations may not be aware of the fact that their environments are compromised.
The Cybersecurity and Infrastructure Security Agency (CISA) warns that, although “no significant intrusions” have occurred to-date, hackers may be waiting to pull the trigger.
Experts have observed a series of nation state-backed threat actors leveraging Log4j vulnerabilities for their own pursuits. Here’s what we know about who’s behind the nefarious activities and what’s happening right now.
Phosphorus or APT35
The hacking group known as Phosphorous or APT35 is using the Log4j vulnerability to deploy malware. The group is distributing a new modular PowerShell toolkit.
This advanced threat group is one of several state-backed hacking entities known to have been developing tools and techniques to exploit public-facing Java applications that rely on unpatched Log4j-based code.
Microsoft has observed this group’s increasing use of ransomware in attacks. According to further professional analysis by Check Point researchers, APT35’s Log4j work came across as amateurish and “obviously rushed,” using a basic publicly available JNDI exploit kit. In turn, this made attacks easy to detect and attribute.
Night Sky ransomware
An unknown group of hackers is distributing the Night Sky crypto-locking malware, which involves a ransom demand and double extortion techniques. One Night Sky victim received a ransom demand of $800,000. In exchange for payment, attackers agreed to provide a decryptor and to withhold stolen data from public view.
As Log4j challenges evolve, vendors will continue to identify and patch vulnerable systems and software, after which customers and users will need to test the updates and release them within their own environments.
The challenge is compounded by the fact that a large number of vulnerable products and services are embedded within other products and services. “By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment,” says Microsoft.
On account of the numerous software elements and services that are impacted and the pace of updates, attention to Log4j issues may require ongoing, sustained vigilance.
White House meeting
Today, the White House meets with representatives from major players in the tech space to discuss software security and open source tools. Meeting attendees include leaders of companies like the Apache Software Foundation, Oracle, IBM, Linux, Apple, Google and Facebook.
“Building on the Log4j incident, the objective of this meeting is to facilitate an important discussion to improve the security of open source software — and to brainstorm how new collaboration could rapidly drive improvements,” stated a senior Biden administration official ahead of the meeting.
To get in-depth insights into Log4j, mitigation measures and corresponding security solutions, click here and here. Lastly, please join us at the premiere cyber security event of the year, CPX 360 2022. Register here.