It is one of the most far-reaching security vulnerabilities in the history of the Internet, and gradually more and more hackers are trying to exploit it. State attackers are also trying to capitalize on the problem called Log4shell, which startled IT professionals around the world over the weekend. This is what IT security companies report.
The problem lies in the utility program Log4j, part of the widely used Java technology. It should only log what happens on a computer server. However, computers connected to the network, e.g., from online games or cloud providers, can be taken over by hackers via the vulnerability. Products from Amazon, Cisco, or IBM are always affected. The vulnerable technique is so widespread that professionals still find it difficult to gauge which and how many services are affected.
The IT security company Checkpoint has counted the attack attempts: on Saturday, twelve hours after the vulnerability became known, it was 40,000, after 72 hours it was more than 800,000. Because of the extremely rapid growth, Checkpoint speaks of a ‘cyber pandemic’.
The state hackers try to exploit Log4shell, reported among others, the Microsoft security team, which monitors and analyzes groups of hackers. State groups from China, Iran, North Korea, and Turkey would take advantage of Log4shell. They tried to adapt the attack technique for the vulnerability, which has been known since last week, for their purposes and to merge it with existing malware. In this way, unauthorized persons could completely take over computers remotely.
The Iranian group, named Phosphorus by Microsoft, used the vulnerability to install ransomware on target devices without authorization. Such software encrypts data on victims’ systems, rendering those systems unusable. It is often used to extort ransom from such ‘shackled’ companies and organizations. According to the analysts, the group uses ransomware to make money or simply to cripple its targets. The Chinese group called Hafnium is also attacking software infrastructure via Log4shell. Other groups have taken root in systems through the gap and are now selling access to them to ransomware hackers. The IT security company Mandiant also reports that it has observed Iranian and Chinese state hackers exploiting Log4shell.
According to Microsoft, however, so-called mass scans make up the largest part of Log4Shell activity: attackers practically feel their way through the Internet, looking for vulnerable devices. Botnets – armies of hijacked computers interconnected by criminals – also use this technology. However, some of the scans measured are likely to be traced back to IT security experts who want to protect devices rather than take them over. As on the weekend, hackers installed so-called coin miners on their victims’ computers. The attackers want to use their computing power to secretly generate cryptocurrencies for themselves. Windows and Linux systems are equally affected.
The Apache Software Foundation, which takes care of Log4j, has made a security update available to close the gap. The US cybersecurity agency, meanwhile, set a deadline. It urged federal agencies to download the update by Christmas. However, the update originally provided by the foundation did not fully protect systems. Version 2.15.0 of Log4j left a hole open which attackers could use to paralyze the software. The new update 2.16.0 closes this gap. Anyone who runs servers in the network should immediately take action.
Another state-sponsored hacking activity by the Iranian government has been spotted by security researchers in recent weeks which is targeting telecommunication and IT service providers in the Middle East and Asia.
The campaign has been conducted over the past six months, and there are tentative links to the Iranian-backed actor, famous as the MERCURY (MuddyWater, SeedWorm). This was reported by the Threat Hunter Team at Symantec. Information was collected from recent attacks against Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos.