Nation-state threat groups are exploiting Log4Shell

Reports of multiple nation-state actors leveraging the critical Log4j 2 flaw have inevitably surfaced.

Nicknamed "Log4Shell" and tracked as CVE-2021-4428, the flaw discovered in the open source Log4j 2 software package was initially disclosed last week, though it was reportedly exploited prior to public disclosure. Exploitation has only increased since, and though some fixes have been released, the flaw's broad impact on enterprises and security teams has already been made.

Now, Microsoft and Mandiant have each confirmed activity from Chinese and Iranian state actors. In an updated blog post Tuesday, Microsoft Threat Intelligence Center said it observed multiple threat actors, including groups originating from North Korea and Turkey as well, taking advantage of the remote code execution vulnerability in "active attacks."

The activity ranged from "experimentation during deployment, integration of the vulnerability to in-the-wild payload deployment and exploitation against targets to achieve the actor's objectives," according to Microsoft.

One of those objectives is selling network access to ransomware-as-a-service affiliates. The flaw was used by multiple groups acting as access brokers to gain initial access to those target networks, according to Microsoft. The activity was observed on both Linux and Windows systems, and Microsoft said it "may lead to an increase in human-operated ransomware impact."

One example Microsoft provided was the Iranian actor known as Phosphorus. According to the blog, Phosphorus has been "deploying ransomware, acquiring and making modifications of the Log4j exploit."

"We asses that Phosphorus has operationalized these modifications," the blog post said.

Mandiant also observed ransomware activity tied to Iranian state actors. John Hultquist, vice president of intelligence analysis at Mandiant, said in a statement that the Iranian actors associated with the flaw are "particularly aggressive" when it comes to their ransomware operations. Those operations, he said, may be primarily carried out for disruptive purposes rather than financial gain.

"They are also tied to more traditional cyberespionage," Hultquist said.

Microsoft's report also detailed insight into the Chinese state-sponsored group known as Hafnium, which was responsible for the initial attacks against vulnerable Microsoft Exchange Servers in March. The group has been using the Log4j 2 flaw to "attack virtualization infrastructure to extend their typical targeting."

Hultquist anticipates other state actors are leveraging the vulnerability as well, or preparing to do so.

"We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time," he said. "In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting."

The potential breadth of the problem is the biggest issue this vulnerability poses, according to Paul Ducklin, senior technologist at Sophos. He referred to the flaw as "extremely exploitable" and said "anyone can do it." One significant issue he addressed was the bug can be duplicated many times even on a single server, and security teams need to find all of them, not just one.

"Every computer, running every operating system on every different sort of CPU, in every corner of your network, could have latent copy of this vulnerability waiting to go off," Ducklin said in an email to SearchSecurity.

Security news writers Alexander Culafi and Shaun Nichols contributed to this article.