As expected, nation-state hackers of all kinds have jumped at the opportunity to exploit the recently disclosed critical vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging library.
Also known as Log4Shell or LogJam, the vulnerability is now being used by threat actors linked to governments in China, Iran, North Korea, and Turkey, as well as access brokers used by ransomware gangs.
All hackers switch to Log4Shell
Among the first threat actors to leverage Log4Shell to drop payloads are cryptocurrency mining groups and botnets, who started to attack immediately after the proof-of-concept exploit code became available.
In a report on Sunday, Microsoft Threat Intelligence Center (MSTIC) observed the critical Log4j bug being exploited to drop Cobalt Strike beacons, which could indicate that more menacing actors were at play since the payload is often part of network breaches.
MSTIC updated the report on Tuesday to add that it detected nation-state activity using Log4Shell, sometimes in active attacks. The researchers tracked groups “groups originating from China, Iran, North Korea, and Turkey.”
“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives” Microsoft Threat Intelligence Center
One of the actors is the Iranian threat group Phosphorus - also tracked as Charming Kitten, APT 35, who Microsoft observed “acquiring and making modifications” to the Log4Shell exploit.
Unlike most APT groups operating these days, Charming Kitten also has a history of ransomware attacks, mainly to disrupt operations rather than cash in, along with cyberespionage ..
Support the originator by clicking the read the rest link below.
