Last weekend, Microsoft confirmed that ongoing exploits of an Apache Log4j vulnerability are expanding into organizations. Known as Log4Shell, the exploit was initially only targeting crypto mining operations. However, Microsoft says it has now evolved to also target data theft and credential theft.
According to the company, its cyber security teams have found threats targeting the remote code execution (RCE) vulnerability that was found in Apache Log4j last week. Log4Shell is rated as a critical flaw within the open-source logging library. Because Log4j is common in cloud services, the potential for this exploit to be dangerous is high.
In fact, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) says hundreds of millions of devices are at risk. Now that the exploit is evolving to affect wider operations, organizations are at risk from data extraction, credential theft, and other attacks.
“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of CISA told CNN. “We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage.”
In its blog post last Saturday, Microsoft Security said the attacks were escalating beyond targeting Crypto mining:
“Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said.
One of the aspects that makes the Log4Shell (tracking as CVE-2021-44228) exploit so dangerous is the popularity of Log4j. The Java library platform logs error messages in applications and is used by the largest cloud vendors in the world. Microsoft Azure, Amazon Web Services, Google Cloud, Oracle, Cisco, IBM, VMware, RedHat, and dozens more use the platform.
Versions 2.0 to 2.14.1 of the Log4j software has a vulnerability that allows attackers to engage in remote execution attacks. If successful, the hack leaves the threat actor with control of the device. Apache Software Foundation has set out version 2.15.0 to patch the flaw. However, as it always the case, the patch requires users to apply the fix.
Furthermore, end users who are customers of the platforms, for example Microsoft Azure customers. That chain takes time and there are always those who simply do not update, for whatever reason.
Microsoft warns security teams in organizations should not just focus on preventing the exploit being used. The company suggests it may be too late so customers should be investigation whether the exploit is already present.
“We encourage defenders to look for signs of post-exploitation rather than fully relying on prevention,” Microsoft Security points out in its post. “Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.”
According to Microsoft Security Response Center (MSRC), the company is investigating how the vulnerability is affecting its own products. “If we identify any customer impact, we will notify the affected party,” a separate Microsoft post says.
There may be a way to bypass the vulnerability until the patch is installed. Specifically, cyber security software firm Cyberseason has created a tool that seems to shut down the flaw. Once the tool is in place, the Log4Shell exploit no longer functions. Yonatan Striem-Amit, co-founder of Cyberseason calls the tool a “vaccine” against the vulnerability.
“The idea isn’t that this is a long-term fix solution,” he cautions. “The idea is, you buy yourself time to now go and apply the best practices — patch your software, deploy a new version, and all the other things required for good IT hygiene.”
Tip of the day: Need to reduce picture size of several images, but don’t have the time to edit every one? Microsoft’s PowerToys image resizer can batch-resize your photos with just two clicks .