2022 begins with the continuing detection and mitigation of Log4j vulnerabilities.
On December 28th Checkmarx reported, and Apache fixed, a new arbitrary code execution vulnerability in Log4j. Newly released Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) all address CVE-2021-44832. BleepingComputer, keeping score, counts this as the fifth Log4j CVE that's been addressed in less than a month.
Microsoft last week issued new services designed to protect its users against exploitation of Log4j vulnerabilities. "New capabilities in threat and vulnerability management including a new advanced hunting schema and support for Linux, which requires updating the Microsoft Defender for Linux client; new Microsoft Defender for Containers solution," the company blogged on December 27th.
Redmond on Monday updated its Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. It's clear, sobering, and worth attention. In brief, Microsoft's researchers have been seeing on-going exploitation across the full range of threat actors, from intelligence services down to low-level grifters using commodity tools. The vulnerabilities represent, in sum, "a complex and high-risk situation for companies across the globe." That risk extends beyond applications that use vulnerable libraries to any services that that themselves employ such applications. Microsoft concludes, "Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."
The good news, as the Washington Post sees it, is that both companies and government agencies seem to be taking the issue seriously, and have been more on top of things than they were, for example, in the earlier Shellshock and Heartbleed incidents. May the vigilance be as ongoing as possible.1.3.22
Industrial control system vendors are working to close Log4j vulnerabilities in their products. SecurityWeek has a useful and interesting summary of the ways in which the companies are working on the problem. Most of the issues the companies have found are related specifically to Log4shell, but some of the other, later and lesser vulnerabilities have also been detected.
The UK's National Health Service on Thursday issued a warning that "unknown threat actors" are working to exploit vulnerable VMware Horizon servers to set up webshells in their victims, thereby establishing persistence in their targets. The versions under active exploitation include Horizons Connection Server (64bit) 2006-2111, 7.13.0-7.13.1, and 7.10.0-7.10.3. VMware was quick to respond to notification of Log4j vulnerabilities, and its products have received appropriate upgrades. Nonetheless, as the Record points out, a non-negligible number of users haven't yet updated their software, and the threat actors are misbehaving accordingly.
NHS doesn't identify the threat actor whose behavior it describes, and indeed there may not be any single actor responsible for the attempts. Duo Security's Decipher says that there are more than one bad actor engaged in this kind of exploitation: "[S]ince the first disclosures of the Log4j bug a wide variety of attack groups have been exploiting it. APT groups, lone actors, and cybercrime groups all have been seen exploiting one or more of the Log4j flaws that have been disclosed in the last few weeks."