Following the revelations of an actively exploited Log4j vulnerability from the beginning of this week, there has been an uptick in the number of attacks targeting unpatched systems. What is more, according to Cloudflare, threat actors are aggressively seeking to exploit a second newly discovered weakness in the commonly used Log4j logging tool. Denial-of-service (DoS) attacks may be launched using this vulnerability, which has been tracked as CVE-2021-45046.
According to Apache Software Foundation (ASF), the patch for the first Log4Shell remote code execution flaw (tracked as CVE-2021-44228) has been incomplete in some non-default configurations, which has allowed room for more exploitation attempts. The good news is that, in Log4j version 2.16.0, the problem has been resolved. Therefore, all Log4j users are urged to upgrade to version 2.16.0 as soon as possible, even if they had already upgraded to 2.15.0.
As per the latest information, a total of 1.8 million attempts have been made to exploit the Log4j vulnerability. More details on the scale of the attack reveal that, aside from the infamous Hafnium and Phosphorus attack groups, sophisticated persistent threat organizations from China, North Korea, Iran, and Turkey have also joined the exploitation attempts of the vulnerability with the idea to compromise as many vulnerable systems as possible and open room for follow-on attacks.
Access brokers have also been spotted abusing the Log4Shell weakness to acquire initial access to target networks, which they subsequently sold to other ransomware affiliates, according to Microsoft Threat Intelligence Center (MSTIC). There have been several malware families that have exploited this weakness, ranging from cryptocurrency coin miners and remote access Trojans, to botnets and web shells.
However, even though it is common for threat actors to attempt to exploit newly disclosed vulnerabilities before they are patched, this particular flaw highlights the dangers of software supply chains when a basic software component is used across multiple vendors and integrated by customers globally.
Industrial cybersecurity company Dragos said in a blog post that this cross-cutting vulnerability has a serious effect on both proprietary and open-source software, and would leave a lot of important sectors of industries, such as electric power, water, food, transportation, manufacturing and more, vulnerable to remote exploitation.
More complex Log4j vulnerabilities are expected to arise when network defenders cut off more simple exploit channels and advanced adversaries integrate the vulnerability into their attacks, according to the researchers.
Meanwhile, professionals at security company Praetorian have already discovered a third security flaw in Log4j version 2.15.0, which they say might lead to the leakage of sensitive data. To avoid further attempts for exploitation, the flaw’s technical specifics have not been disclosed.