Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Microsoft said Saturday that exploits so far of the critical Apache Log4j vulnerability, known as Log4Shell, extend beyond crypto coin mining and into more serious territory such as credential and data theft.
The tech giant said that its threat intelligence teams have been tracking attempts to exploit the remote code execution (RCE) vulnerability that was revealed late on Thursday. The vulnerability affects Apache Log4j, an open source logging library deployed broadly in cloud services and enterprise software. Many applications and services written in Java are potentially vulnerable.
More serious exploits
Attacks that take over machines to mine crypto currencies such as Bitcoin, also known as cryptojacking, can result in slower performance.
In addition to coin mining, however, Log4j exploits that Microsoft has seen so far include activities such as credential theft, lateral movement, and data exfiltration. Along with providing some of the largest platforms and cloud services used by businesses, Microsoft is a major cybersecurity vendor in its own right with 650,000 security customers.
In its post Saturday, Microsoft said that “at the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed.”
In particular, “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said.
Microsoft did not cite specific cases of any of these attacks. VentureBeat has reached out to Microsoft for any updated information.
Cobalt Strike is a legitimate tool for penetration testing that is commercially available, but cyber criminals have increasingly begun to leverage the tool, according to a recent report from Proofpoint. Usage of Cobalt Strike by threat actors surged 161% in 2020, year over year, and the tool has been “appearing in Proofpoint threat data more frequently than ever” in 2021, the company said.
In response to the vulnerability, Microsoft said that security teams should focus on more than just attack prevention—and should also be looking for indicators of an exploit using a behavior-based detection approach.
Because the Log4Shell vulnerability is so broad, and deploying mitigations takes time in large environments, “we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention,” the company said in its post. “Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.”
In terms of Microsoft’s own products that may have vulnerabilities due to use of Log4j, the company has said that it’s investigating the issue. In a separate blog post Saturday, the Microsoft Security Response Center wrote that its security teams “have been conducting an active investigation of our products and services to understand where Apache Log4j may be used.”
“If we identify any customer impact, we will notify the affected party,” the Microsoft post says.
Patching the flaw
The Log4Shell vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible. Vendors including Cisco, VMware, and Red Hat have issued advisories about potentially vulnerable products.
“Something to keep in mind about this vulnerability is that you may be at risk without even knowing it,” said Roger Koehler, vice president of threat ops at managed detection and response firm Huntress, in an email. “Lots of enterprise organizations and the tools they use may include the Log4j package bundled in — but that inclusion isn’t always evident. As a result, many enterprise organizations are finding themselves at the mercy of their software vendors to patch and update their unique software as appropriate.”
However, patches for software products must be developed and rolled out by vendors, and it then takes additional time for businesses to test and deploy the patches. “The process can end up taking quite some time before businesses have actually patched their systems,” Koehler said.
To help reduce risk in the meantime, workarounds have begun to emerge for security teams.
One tool, developed by researchers at security vendor Cybereason, disables the vulnerability and allows organizations to stay protected while they update their servers, according to the company.
After deploying it, any future attempts to exploit the Log4Shell vulnerability won’t work, said Yonatan Striem-Amit, cofounder and chief technology officer at Cybereason. The company has described the fix as a “vaccine” because it works by leveraging the Log4Shell vulnerability itself. It was released for free on Friday evening.
Still, no one should see the tool as a “permanent” solution to addressing the vulnerability in Log4j, Striem-Amit told VentureBeat.
“The idea isn’t that this is a long-term fix solution,” he said. “The idea is, you buy yourself time to now go and apply the best practices — patch your software, deploy a new version, and all the other things required for good IT hygiene.”
The Log4Shell vulnerability is considered highly dangerous because of the widespread use of Log4j in software and because the flaw is seen as fairly easy to exploit. The RCE flaw can ultimately enable attacker to remotely access and control devices.
Log4Shell is “probably the most significant [vulnerability] in a decade” and may end up being the “most significant ever,” Tenable CEO Amit Yoran said Saturday on Twitter.
According to W3Techs, an estimated 31.5% of all websites run on Apache servers. The list of companies with vulnerable infrastructure reportedly includes Apple, Amazon, Twitter, and Cloudflare.
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” said Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency (CISA), in a statement posted Saturday.