All Big tech players are responding to the disclosure of a critical vulnerability affecting the widely used Log4j logging utility, as exploitation attempts are on the rise.
Apache Log4j is a Java-based logging tool that is included in various open-source libraries and is directly embedded in many popular software applications. It came to light recently that the cross-platform library is affected by a critical remote code execution vulnerability tracked as CVE-2021-44228 and dubbed Log4Shell that can be exploited to gain complete access to the targeted system by getting the affected application to log a specially crafted string.
The list of affected companies and software includes Apple, Tencent, Twitter, Baidu, Steam, Minecraft, Cloudflare, Amazon, Tesla, Palo Alto Networks, IBM, Pulse Secure, Ghidra, ElasticSearch, Apache, Google, Webex, LinkedIn, Cisco, and VMware. The list is being regularly updated.
Attacks exploiting Log4Shell
Cloudflare reported seeing evidence of exploitation on December 1, but mass exploitation began only after the flaw was publicly disclosed. While most of the activity observed until now has focused on the identification of vulnerable systems exposed to the internet, there has been a significant increase in actual attacks exploiting Log4Shell.
Cisco’s Talos research and intelligence unit has seen exploitation attempts by APT groups, as well as botnets such as Mirai. The Netlab unit at Chinese cybersecurity firm Qihoo 360 reported seeing Log4Shell attacks involving the Muhstik botnet.
Cloud security company Lacework reported seeing the delivery of Mirai and a piece of crypto-mining malware known as Kinsing.
GreyNoise, a threat intel company which started seeing exploitation attempts on December 9, shortly after weaponized PoC exploits became available, has witnessed exploitation attempts coming from hundreds of IP addresses.
Bitdefender said most of the attacks seen by its honeypot network came from Russian IPs, and Lacework reported that much of the scanning it has seen originated from Tor nodes.
Microsoft has released blog posts with mitigation guidance for Azure and other customers.
VMware has also released an advisory to inform customers that many of its products are affected. The virtualization giant has started releasing patches and mitigations and warned that it has confirmed exploitation attempts in the wild.
Cisco is investigating the impact of CVE-2021-44228 on its products and confirmed to be affected.
The developers of the enterprise management software Jamf Pro have also confirmed being impacted and announced the availability of patches and mitigations. Researchers at Randori have confirmed that Jamf Pro can be targeted, and they believe that widespread exploitation is imminent.
Managed detection and response company Huntress, which has released a tool designed to help organizations test if their applications are affected by CVE-2021-44228, pointed out that MSPs such as Auvik, ConnectWise and N-able have confirmed being impacted.
Cybersecurity companies such as Qualys, Cloudflare, CrowdStrike, ShiftLeft, Bishop Fox, Sophos, NCC Group, IBM Security, SOC Prime, LunaSec, Forescout, F-Secure, Tenable, Malwarebytes and Cybereason have released blog posts to inform customers about the attacks, and how their products can detect exploitation attempts or vulnerable versions of the Log4j library.