What is rapidly turning into one of the major InfoSec talking points for the year the threat posed by potential exploitation of the Log4j2 flaw is increasing exponentially for those who have not patched the popular logging application. In our previous coverage we detailed how threat actors distributing botnets, remote access trojans, coin miners, and ransomware were already weaponizing the flaw. Now, as predicted nation-state threat actors are looking to do the same.
It is clear that many security experts and cyber agencies warned that it was only a matter of time that nation-state groups would attempt to take advantage of the current whirlwind that is the Log4j2, also tracked as Log4Shell, flaw.
The US Cybersecurity and Infrastructure Security Agency CISA stated,
“CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”
To help defend against exploitation CISA published a website with vital details for any network administrator to know. The website includes a host of mitigation strategies and has also published a dedicated GitHub repository to assist in detection and mitigation.
While such actions by government agencies like CISA is not unprecedented, these actions and the speed at which they have been carried out are reserved for the most severe of flaws.
Given that the flaw received a severity ranking of 10, the highest possible, and Microsoft believes that millions of devices are vulnerable to the flaw, Log4j2 most certainly warrants such a response.
Such a response is further justified when one considers that Microsoft recently published an article detailing how specific nation-state groups have been seen attempting to exploit the flaw. Microsoft notes,
“MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives…For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications…In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with the testing activity to fingerprint systems.”
Iranian Nation-State Groups and Ransomware
As Microsoft notes, Iranian threat actor Phosphorous has been deploying ransomware via the Log4j2 flaw. The use of ransomware by Iranian threat groups is not without precedent. In November this year Microsoft and security intelligence specialists DFIR discovered Phosphorous was deploying ransomware on targeted networks.
For the past two years, Microsoft has been not only tracking Phosphorous activity but has been involved in a cat and mouse game with the threat group. Microsoft first detailed how the threat group had been targeting attendees of a conference in Munich.
The group’s operational mandate seemed to be firmly in the realms of cyber espionage with Microsoft noting,
“The attackers have been sending possible attendees spoofed invitations by email. The emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations. Phosphorus helped assuage fears of travel during the Covid-19 pandemic by offering remote sessions…We believe Phosphorus is engaging in these attacks for intelligence collection purposes. The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.”
However, in November Microsoft released an article detailing how at least six separate Iranian threat groups were looking to deploy ransomware on targeted networks. One of those that featured prominently in the analysis was Phosphorous.
One of the key tactics employed by the group was looking to exploit several vulnerabilities including an Exchange Server flaw, in order to gain initial access.
Once access was granted, and the level of access raised to include high access privileges the threat actors would look to deploy ransomware. In instances observed by researchers, Phosphorous threat actors were deploying the BitLocker to handle the encryption of data and dropping of a ransom note.
Another tactic that defines Phosophorous operations is that they are patient and spend not a short spell of time making sure they remain persistent on a victim’s infrastructure. Researchers noted,
“MSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator’s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.”
With security researchers seeing nation-state groups actively exploiting the Log4j2 flaw it is now more important than ever to make sure the latest patches are installed.