Head over to our on-demand library to view sessions from VB Transform 2023. Register Here
Microsoft said Saturday that exploits so far of the critical Apache Log4j vulnerability, known as Log4Shell, extend beyond crypto coin mining and into more serious territory such as credential and data theft.
The tech giant said that its threat intelligence teams have been tracking attempts to exploit the remote code execution (RCE) vulnerability that was revealed late on Thursday. The vulnerability affects Apache Log4j, an open source logging library deployed broadly in cloud services and enterprise software. Many applications and services written in Java are potentially vulnerable.
More serious exploits
Attacks that take over machines to mine crypto currencies such as Bitcoin, also known as cryptojacking, can result in slower performance.
In addition to coin mining, however, Log4j exploits that Microsoft has seen so far include activities such as credential theft, lateral movement, and data exfiltration. Along with providing some of the largest platforms and cloud services used by businesses, Microsoft is a major cybersecurity vendor in its own right with 650,000 security customers.
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
In its post Saturday, Microsoft said that “at the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed.”
In particular, “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said.
Microsoft did not provide further details on any of these attacks. VentureBeat has reached out to Microsoft for any updated information.
According to a post from Netlab 360, attackers have exploited Log4Shell to deploy malware including Mirai and Muhstik—two Linux botnets used for crypto mining and distributed denial of service (DDoS) attacks.
The Swiss Government Computer Emergency Response Team posted that it has observed use of Mirai and Muhstik (also known as Tsunami) to deploy DDoS attacks, as well as deployment of Kinsing malware for crypto mining.
In response to the vulnerability, Microsoft said that security teams should focus on more than just attack prevention—and should also be looking for indicators of an exploit using a behavior-based detection approach.
Because the Log4Shell vulnerability is so broad, and deploying mitigations takes time in large environments, “we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention,” the company said in its post. “Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.”
Cobalt Strike is a legitimate tool for penetration testing that is commercially available, but cyber criminals have increasingly begun to leverage the tool, according to a recent report from Proofpoint. Usage of Cobalt Strike by threat actors surged 161% in 2020, year over year, and the tool has been “appearing in Proofpoint threat data more frequently than ever” in 2021, the company said.
In terms of Microsoft’s own products that may have vulnerabilities due to use of Log4j, the company has said that it’s investigating the issue. In a separate blog post Saturday, the Microsoft Security Response Center wrote that its security teams “have been conducting an active investigation of our products and services to understand where Apache Log4j may be used.”
“If we identify any customer impact, we will notify the affected party,” the Microsoft post says.
Patching the flaw
The Log4Shell vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible. Vendors including Cisco, VMware, and Red Hat have issued advisories about potentially vulnerable products.
“Something to keep in mind about this vulnerability is that you may be at risk without even knowing it,” said Roger Koehler, vice president of threat ops at managed detection and response firm Huntress, in an email. “Lots of enterprise organizations and the tools they use may include the Log4j package bundled in — but that inclusion isn’t always evident. As a result, many enterprise organizations are finding themselves at the mercy of their software vendors to patch and update their unique software as appropriate.”
However, patches for software products must be developed and rolled out by vendors, and it then takes additional time for businesses to test and deploy the patches. “The process can end up taking quite some time before businesses have actually patched their systems,” Koehler said.
To help reduce risk in the meantime, workarounds have begun to emerge for security teams.
One tool, developed by researchers at security vendor Cybereason, disables the vulnerability and allows organizations to stay protected while they update their servers, according to the company.
After deploying it, any future attempts to exploit the Log4Shell vulnerability won’t work, said Yonatan Striem-Amit, cofounder and chief technology officer at Cybereason. The company has described the fix as a “vaccine” because it works by leveraging the Log4Shell vulnerability itself. It was released for free on Friday evening.
Still, no one should see the tool as a “permanent” solution to addressing the vulnerability in Log4j, Striem-Amit told VentureBeat.
“The idea isn’t that this is a long-term fix solution,” he said. “The idea is, you buy yourself time to now go and apply the best practices — patch your software, deploy a new version, and all the other things required for good IT hygiene.”
The Log4Shell vulnerability is considered highly dangerous because of the widespread use of Log4j in software and because the flaw is seen as fairly easy to exploit. The RCE flaw can ultimately enable attacker to remotely access and control devices.
Log4Shell is “probably the most significant [vulnerability] in a decade” and may end up being the “most significant ever,” Tenable CEO Amit Yoran said Saturday on Twitter.
According to W3Techs, an estimated 31.5% of all websites run on Apache servers. The list of companies with vulnerable infrastructure reportedly includes Apple, Amazon, Twitter, and Cloudflare.
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” said Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency (CISA), in a statement posted Saturday.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.