The Log4j Vulnerability Is Now Used by State-Backed Hackers

The vulnerability, officially tagged as CVE-2021-44228 and called Log4Shell or LogJam, is an unauthenticated RCE vulnerability that allows total system takeover on systems running Log4j 2.0-beta9 through 2.14.1.

What Happened?

Nation-state hackers of various sorts have pounced on the recently reported major vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging framework.

Cryptocurrency mining organizations and botnets were among the first threat actors to use Log4Shell to deliver payloads, launching attacks as soon as the proof-of-concept exploit code was published.

Microsoft Threat Intelligence Center (MSTIC) observed the critical Log4j bug being exploited to drop Cobalt Strike beacons. As reported by BleepingComputer, MSTIC revised the report to include that it observed nation-state activity using Log4Shell, sometimes during active assaults.

MSTIC updated the report on Tuesday to add that it detected nation-state activity using Log4Shell, sometimes in active attacks. The researchers tracked groups “groups originating from China, Iran, North Korea, and Turkey.”

MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.

For example, MSTIC has observed PHOSPHORUS, an

Read More: https://heimdalsecurity.com/blog/the-log4j-vulnerability-is-now-used-by-state-backed-hackers/