A second vulnerability in Apache Log4j has been discovered. Unlike its Log4shell cousin, it hasn't as we go to press received a catchy nickname yet, but MITRE has registered the issue as CVE-2021-45046. This second flaw is now patched, and organizations should either apply that patch or, if they're using older versions of Log4j, they should disable JNDI functionality. That's in any case the default in the newer, patched versions.
CISA offers an update on Log4shell.
Late yesterday afternoon, and running into the early evening, the US Cybersecurity and Infrastructure Security Agency (CISA) held a phone conference with the media to discuss the current state of risk and remediation surrounding Log4shell. On balance, as Reuters reports, CISA thinks most of the activity has been scanning and cryptojacking, and that it hasn't confirmed industry reports of more damaging activity.
CyberScoop quotes CISA’s Executive Assistant Director Eric Goldstein to the effect that, "Certainly given the nature of this vulnerability, the triviality of exploitation, the ubiquity of the presence across enterprise, consumer and IoT [internet of things] products — really, our broad focus here is driving mitigation across the board, recognizing that malicious cyber actors of all types may decide to use this vulnerability to achieve a variety of attack types or drive a variety of malicious ends,”
And more consequential exploitation seems to have begun.
As the Record notes, Log4shell has been exploited to distribute ransomware. It's also now being used by nation-state espionage services. Microsoft reported yesterday that it's seeing "the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives." Microsoft particularly draws attention to Iran's Phosphorus and China's Hafnium groups as among the nation-state actors that have been using Log4shell against their targets.
Mandiant has also, SecurityWeek reports, seen Iranian and Chinese exploitation in progress. Mandiant thinks more intelligence services will be joining the party soon. The company's vice president of intelligence analysis, John Hultquist, emailed SecurityWeek to tell them,“We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well, or preparing to. We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”
The criminal-to-criminal market has also taken note, and Microsoft has seen access brokers working to monetize the vulnerability: "MSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms."
The basic advice about handling the vulnerability has remained stable. Both ESET and Fastly, to take two of the many security firms who've published recommendations, emphasize the importance of determining where the Log4shell vulnerability exists in an organization, and of then applying the available patches. BleepingComputer is offering a list of affected products along with vendor advice on mitigation, and SecurityWeek is maintaining a current list of tools and resources for defenders.
You'll find the CyberWire's continuing coverage of this incident on our site.