There are signs, now, that Fancy Bear, Russia's GRU, has been actively exploiting Log4j vulnerabilities. SecurityScorecard reported this morning that it's observed Drovorub activity, and use of the Drovorub toolkit points to Fancy Bear, APT28, Russia's GRU military intelligence service. Drovorub, which means "woodcutter," is a toolkit developed by the GRU's 85th Main Special Services Center. And that activity has been extensive. SecurityScorecard regards Russian reconnaissance, probing, and probable exploitation as comparable in scale to what's been observed from China. More developments can be expected, the researchers write: "It’s important to remember that we are still in the very early days of trying to understand this security issue and how it’s being used by threat actors."
There's reason to think that self-propagating worms are under development to take advantage of Log4j bugs. Researcher Greg Linares believes at least three groups are working on a Log4j worm. SecurityWeek, which cites Linares, also quotes other researchers who think the news of a coming worm is unproven at least, unlikely at best, or probably likely to lead to worms less serious than some of the high-profile cases observed earlier this century.
Log4j is from Apache's open source library, and some have asked if the vulnerability exposed as Log4shell should call into question the very idea of using open-source software. The short answer would be, according to some, not at all. IT World Canada has a useful discussion of the issue, in which they point out that the Open Source Security Foundation is well-funded, backed by deep-pocketed tech firms, and that securing open source software is not a hobbyist's labor of love.
MIT Technology Review takes the contrary view, arguing that the security of open-source software is indeed overlooked and underfunded. Their article quotes Veracode's CTO, Chris Wysopal, who says, “The open-source ecosystem is up there in importance to critical infrastructure with Linux, Windows, and the fundamental internet protocols. These are the top systemic risks to the internet.”
The US Cybersecurity and Infrastructure Security Agency (CISA) this morning issued Emergency Directive 22-02, directing the US Federal agencies that fall within its remit to identify and update all vulnerable systems no later than 5:00 PM Eastern Standard Time on December 23rd. CISA gives the agencies until December 28th to report completion.
Vendors are working to patch their products against Log4shell, and it's proving to involve the "struggle" most observers have foreseen, Reuters reports. As the patches are issued, they should of course be applied when practicable.
The CyberWire's continuing coverage of Log4shell may be found on our website.