Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
New ransomware now being deployed in Log4Shell attacks
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Log4j vulnerability now used by state-backed hackers, access brokers
Hive ransomware enters big league with hundreds breached in four months
Take control of your iOS devices with iMazing on Mac/PC, now 57% off
Phorpiex botnet returns with new tricks making it harder to disrupt
Firefox users can’t reach — here’s what to do
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Log4Shell used by nation-state hackers from China, Iran
As expected, nation-state hackers of all kinds have jumped at the opportunity to exploit the recently disclosed critical vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging library.
Also known as Log4Shell or LogJam, the vulnerability is now being used by threat actors linked to governments in China, Iran, North Korea, and Turkey, as well as access brokers used by ransomware gangs.
Among the first threat actors to leverage Log4Shell to drop payloads are cryptocurrency mining groups and botnets, who started to attack immediately after the proof-of-concept exploit code became available.
In a report on Sunday, Microsoft Threat Intelligence Center (MSTIC) observed the critical Log4j bug being exploited to drop Cobalt Strike beacons, which could indicate that more menacing actors were at play since the payload is often part of network breaches.
MSTIC updated the report on Tuesday to add that it detected nation-state activity using Log4Shell, sometimes in active attacks. The researchers tracked groups “groups originating from China, Iran, North Korea, and Turkey.”
“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives” Microsoft Threat Intelligence Center
One of the actors is the Iranian threat group Phosphorus – also tracked as Charming Kitten, APT 35, who Microsoft observed “acquiring and making modifications” to the Log4Shell exploit.
Unlike most APT groups operating these days, Charming Kitten also has a history of ransomware attacks, mainly to disrupt operations rather than cash in, along with cyberespionage activity.
Another nation-state threat actor taking advantage of the Log4Shell bug is Hafnium, a hacking group linked to China.
The adversary became more broadly known after exploiting the ProxyLogon zero-day vulnerabilities in Microsoft Exchange Server in the period between the bugs were reported and a patch became available.
Microsoft says that Hafnium is now using Log4Shell in attacks against virtualization infrastructure “to extend their typical targeting
According to the researchers, the systems that Hafnium used in these attacks were using a DNS service that is normally seen in testing activity to fingerprint machines.
Cybersecurity firm Mandiant has confirmed that Chinese and Iranian state actors are using the Log4j vulnerability in attacks and is expecting that other groups to be doing the same or be in a preparation stage.
John Hultquist, VP of Intelligence Analysis at Mandiant, told BleepingComputer that adversaries will waste no time creating persistence on targeted networks for future development of the attack.
“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting” – John Hultquist
While the report from MSTIC also mentions state-backed hacking groups from North Korea and Turkey, the researchers did not offer any information on how these actors leveraged Log4Shell.
Apart from nation-state actors, Microsoft has confirmed that brokers providing initial network access to various groups, mostly financially motivated have also started to exploit the Log4j flaw.
Initial access brokers typically work with ransomware-as-a-service (RaaS) operations, to which they sell access to compromised company networks.
“We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms” – Microsoft Threat Intelligence Center
Log4Shell has already been used in a ransomware attack from a new actor named Khonsari, a report from Bitdefender shows.
Based on available information, Khonsari may be used to wipe data instead of encrypting it because its ransom note includes contact details for a Louisiana antique shop owner instead of the attacker.
It is no surprise that Log4Shell has attracted hackers of all sorts. The bug has a maximum severity score and can be exploited remotely without authentication to take full control of a vulnerable system. Furthermore, the vulnerable Log4j library is included in products from dozens of vendors.
Given the damage this bug can cause, the Cybersecurity Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems immediately.
Hackers start pushing malware in worldwide Log4Shell attacks
Log4j: List of vulnerable products and vendor advisories
CISA orders federal agencies to patch Log4Shell by December 24th
Researchers release ‘vaccine’ for critical Log4Shell vulnerability
CISA warns critical infrastructure to stay vigilant for ongoing threats
Not a member yet? Register Now
Log4j: List of vulnerable products and vendor advisories
Hackers steal Microsoft Exchange credentials using IIS module
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

FBI warns of increased use of cryptocurrency ATMs, QR codes for fraud

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

New Rowhammer technique bypasses existing DDR4 memory defenses

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…

Yahoo becomes the next US firm to pull services out of China

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

North Korean cyberspies target govt officials with custom malware

US, UK warn of Iranian hackers exploiting Microsoft Exchange, FortinetRussian ransomware gangs…