December 15, 2021

What is Log4j?

The high severity Log4j vulnerability made headlines last week. It took the cybersecurity world by storm as researchers shared doubts that ransomware attacks may surge as threat actors would start to exploit it.

It is a critical RCE (remote code execution) flaw in the commonly used Java-based logging tool Apache Log4j. The vulnerability, tracked as CVE-2021-44228, was discovered in November and patched on 6 December.

However, exploitation of Apache Log4j started as early as 1 December, and wide-scale attacks were observed from 9 December onwards after proof-of-concept exploits surfaced on the web.

Mandiant’s Analysis

According to the intelligence analysis vice president at Mandiant, John Hultquist, threat actors are quickly working to create footholds in “desirable networks for follow-on activity, which may last for some time.”

Hultquist noted that in some cases, the threat actors might use a “wish list of targets” that could be selected after extensive targeting. He added that Iranian state hackers are specifically aggressive with this flaw and want to participate in ransomware operations designed to cause widespread disruption instead of financial gains.

“They are also tied to more traditional cyber espionage,” Hultquist observed. However, the company didn’t disclose the names of the Iranian and Chinese state actors linked with Log4j exploitation.

“We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well or preparing to,” Hultquist said.

“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity that may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting,”Hultquist warned.

The Iranian actors who we have associated with this vulnerability are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain. They are also tied to more traditional cyber espionage,” Hultquist concluded.

CrowdStrike’s Analysis

The senior vice president of intelligence at CrowdStrike, Adam Meyers, stated that Irani state-backed Nemesis Kitten has recently deployed a server-class file that Log4j can trigger.

Considering the intent, timing, and capability of this deployment, it becomes apparent that they are trying to exploit the Log4Shell vulnerability. It is worth noting that CrowdStrike previously identified destructive and disruptive attacks from Nemesis Kitten.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Posted by Charlie