Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability

Severity of Second Log4j Vulnerability Increased to Critical 

Russia has been added to the list of nation states targeting the recently disclosed Log4Shell vulnerability, with exploitation attempts linked to several of the country’s cyberespionage groups.

Exploitation of the Log4j vulnerability tracked as CVE-2021-44228, Log4Shell and LogJam started in early December, with initial attack reports describing activity associated with profit-driven cybercriminals delivering cryptocurrency miners, DDoS malware, ransomware and other malicious programs.

Then, on December 14, Mandiant reported seeing Chinese and Iranian state-sponsored threat actors exploiting the Log4Shell flaw. The next day, Microsoft said it had observed activity that it had connected to China, Iran, North Korea and Turkey.

On Friday, cybersecurity rating and risk management company SecurityScorecard reported seeing reconnaissance activity apparently linked to Chinese and Russian APTs. In the case of China, the company named APT10, and in the case of Russia it mentioned APT28, Turla, Ursnif and Grizzly Steppe.

Interestingly, SecurityScorecard’s analysis also showed IP addresses that were previously tied to Drovorub domains. Drovorub is a mysterious piece of malware that U.S. intelligence agencies linked to Russia’s APT28 in the summer of 2020. The NSA and FBI issued a warning at the time, but as of February 2021 none of the major cybersecurity firms contacted by SecurityWeek had found any actual samples of the malware.

In addition to cyberspy groups, Advintel reported that the notorious Conti ransomware group had been leveraging Log4Shell against VMware vCenter servers for lateral movement.

CVE-2021-45046 becomes critical

CVE-2021-44228 was patched on December 6 with the release of Log4j 2.15.0. However, it was soon discovered that the fix was incomplete in certain non-default configurations, and exploitation could still lead to denial-of-service (DoS) attacks “or worse.”

A new CVE identifier, CVE-2021-45046, was assigned to this issue, and another round of updates was released — versions 2.12.2 and 2.16.0 — to patch this vulnerability and disable access to the functionality abused in attacks.

CVE-2021-45046 was initially assigned a CVSS score of 3.7, but after further analysis it has been assigned a CVSS of 9, which makes it “critical severity.” Its severity rating was upgraded after researchers discovered that its exploitation could lead to information leaks, local code execution and remote code execution.

Cloudflare said on Wednesday that it had seen exploitation attempts targeting CVE-2021-45046. SecurityWeek reached out to the company on Friday for more information on these attacks, but they couldn’t share any data.

On Thursday, Cloudflare reported a surge in Log4Shell attacks, with the company seeing more than 100,000 attempts per minute during certain times of day.

It’s worth noting that log4j 2.16.0 patches both CVE-2021-44228 and CVE-2021-45046 — affected organizations are advised to update the logging utility to this version.

It also came to light recently that the Log4Shell vulnerability can be exploited by getting the target to access a malicious website — not only by sending specially crafted requests to vulnerable servers — but currently there is no evidence that this method has been used for malicious purposes.

One week after Log4Shell was disclosed, a scanning of enterprise cloud environments conducted by cloud security company Wiz found that only 30% of vulnerable resources have been patched.

Related: Log4Shell Tools and Resources for Defenders – Continuously Updated

Related: Industry Reactions to Log4Shell Vulnerability (12/15/2021)

Related: Industrial Organizations Targeted in Log4Shell Attacks