Apache on Saturday introduced Log4j 2.17.0, a new version that addresses the denial-of-service risk posed by vulnerability CVE-2021-45105. The problem, now fixed in the latest release is that, as Apache put it, "Apache Log4j2 does not always protect from infinite recursion in lookup evaluation."
Ransomware continues to arrive via Log4shell. The first major ransomware strain to take advantage of Log4shell was newcomer Konsari, but a familiar player has now also been observed exploiting the vulnerability. Advanced Intelligence (AdvIntel) tells BleepingComputer that it's observed Conti seeking to use Log4shell to move laterally into VMware vCenter networks. “The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit,” BleepingComputer quotes AdvIntel as saying. Those servers aren't normally exposed to the Internet, and Conti's activity shows that networks are susceptible to attack via RDP, VPN, or email phishing vectors. Thus security teams should expand their focus to include these alternative avenues of approach.
Bitdefender says its honeypots show that most attacks are originating in Germany and the US. But that doesn't mean the threat actors are predominantly German or American. "[T]hreat actors exploiting Log4j are routing their attacks through machines that are closer to their intended targets and just because we don’t see countries commonly associated with cybersecurity threats at the top of the list does not mean that attacks did not originate there." Thus the honeypots reveal staging, not origin. The geolocation of the targets is unsurprising, with the US, the UK, and Canada leading the pack. Rounding out the top ten are, in this order, Romania, Germany, Australia, France, the Netherlands, Brazil, and Italy.
Britain's National Cyber Security Centre (NCSC) has offered corporate boards advice on dealing with Log4j vulnerabilities. "The Log4j issue has the potential to cause severe impact to many organisations," NCSC writes. "As cyber security experts attempt to detect which software and organisations are vulnerable, attackers start to exploit the vulnerability. Initial reports indicate this is likely to include remote control malware and ransomware. However the situation is fluid and changing regularly."
More of the CyberWire's ongoing coverage of Log4j may be found on our site.