Dec 16, 2021
86 Views
0 0

Log4j threat expands as second vulnerability emerges and nation states pounce

Written by

Apache Log4j is seen as one of the most serious vulnerabilities in the last decade — upwards of 3 billion devices use Java, according to Forrester Analyst Allie Mellen. The threat ranges from consumer gaming systems to IoT devices and sophisticated enterprise networks. 
The products of at least 25 high-profile enterprise technology vendors are affected, including Amazon, Microsoft, Cisco, VMware and Red Hat, according to a CISA list initially populated by security researcher Kevin Beaumont. Google too is closely following the vulnerability, investigating the potential impact to Google products and services, the company said in a statement. The company has thus found the vulnerability in its Migrate for Compute Engine and Google Cloud for VMware Engine services. 
Log4j poses a severe risk to organizations as hundreds of millions of devices may already be at risk from threat actors attempting remote code execution, CISA officials said.
CISA updated a recent security directive that makes it mandatory for federal agencies to patch by Dec. 24, and has instructed federal agencies to take additional security measures.  
The danger lies in part from the fact that threat actors can access a network with little to no engineering background and can simply write a line of code to gain access. While the threat activity thus far is limited, officials and security researchers expect the level of sophistication to quickly ramp up in sophistication and targeting. 
“It has largely been low-level activity such as cryptominers, but we do expect that adversaries of all sorts will utilize this vulnerability to achieve their strategic goals,” Goldstein said. 
Researchers from Mandiant have detected nation-state activity from two long-time adversaries of the U.S., and expect to see other state actors to quickly jump on board. 
“We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well, or preparing to,” John Hultquist, VP, intelligence analysis at Mandiant, said in a statement. “We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time.”
The threat actors may have already established a wish list of targets to work from, Hultquist said. In some other cases, targets may be selected after broad targeting. 
The Iranian threat actors associated with this vulnerability have been aggressive, taking part in ransomware operations designed for disruption not financial gain. The Iranian actors are also tied to more traditional cyber operations.
In addition to China and Iran, Microsoft has tracked threat activity stemming from North Korea and Turkey, the company said. “This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.”
Get the free daily newsletter read by industry experts
The agency is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources.
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
The agency is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources.
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.