threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/log4j-attacks-state-actors-worm/177088/
Submission: On December 16 via api from US — Scanned from DE
Submission: On December 16 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /log4j-attacks-state-actors-worm/177088/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/log4j-attacks-state-actors-worm/177088/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Phone</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177088" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="fb4603243c"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="7LmthmHLeVxMFvDP93zjoSMjO" name="eettb0AzeE2viyENfG6RECCDS">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1639659787875">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Phone
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Malicious Exchange Server Module Hoovers Up Outlook CredentialsPrevious
article
*
RELENTLESS LOG4J ATTACKS INCLUDE STATE ACTORS, POSSIBLE WORM
Author: Becky Bracken
December 15, 2021 6:18 pm
4 minute read
Write a comment
Share this article:
*
*
More than 1.8 million attacks, against half of all corporate networks, have
already launched to exploit Log4Shell.
Call it a “logjam” of threats: Attackers including nation-state actors have
already targeted half of all corporate global networks in security companies’
telemetry using at least 70 distinct malware families — and the fallout from the
Log4j vulnerability is just beginning.
Researchers manning keyboards all over the world have spent the past several
days chasing attacks aimed at a now-infamous Log4j Java library bug, dubbed
Log4Shell (CVE-2021-44228). Side note: Log4j is pronounced, “log forge” —
although that’s disputed, because it’s also referred to in conversation as
“log-four-jay.” Dealer’s choice there.
First discovered among Minecraft players last week, the newly discovered
vulnerability has opened a massive opportunity for threat actors to hijack
servers, mostly with coin miners and botnets, but also a cornucopia of other
malware such as the StealthLoader trojan — and that’s just so far.
“We’ve seen a lot of chatter on Dark Web forums, including sharing scanners,
bypasses and exploits,” Erick Galinkin, an artificial intelligence researcher at
Rapid7, told Threatpost. “At this point, more than 70 distinct malware families
have been identified by us and other security researchers.”
For instance, Bitdefender researchers this week discovered that threat actors
are attempting to exploit Log4Shell to deliver a new ransomware called Khonsari
to Windows machines.
Check Point research reported Wednesday that since last Friday, its team has
detected 1.8 million Log4j exploit attempts on almost half of all corporate
networks that they track.
These threat actors aren’t low-skilled hobbyists. Check Point added that as of
Wednesday, Iranian hacking group Charming Kitten, also known as APT 35 and
widely believed to be working as a nation-state actor, is actively targeting
seven specific Israeli organizations across the government and business sectors.
“Our reports of the last 48 hours prove that both criminal-hacking groups and
nation state actors are engaged in the exploration of this vulnerability, and we
should all assume more such actors’ operations are to be revealed in the coming
days,” Check Point added.
Microsoft meanwhile reported that nation-state groups Phosphorus (Iran) and
Hafnium (China), as well as unnamed APTs from North Korea and Turkey are
actively exploiting Log4Shell (CVE-2021-44228) in targeted attacks. Hafnium is
known for targeting Exchange servers with the ProxyLogon zero-days back in
March, while Phosphorus made headlines for targeting global summits and
conferences in 2020.
“This activity ranges from experimentation during development, integration of
the vulnerability to in-the-wild payload deployment and exploitation against
targets to achieve the actor’s objectives,” the company said in a posting.
IS A LOG4J WORM NEXT?
Researcher Greg Linares meanwhile has reported seeing evidence that a
self-propagating worm is being developed and will likely emerge in a day or
less.
There is wide agreement within the cybersecurity community that he’s correct,
but many experts don’t think the fallout will be as bad with Log4j as it was
with past incidents like WannaCry or NotPetya.
“While it’s possible that we could see a worm developed to spread among
susceptible Log4j devices, there hasn’t been any evidence to suggest this is a
priority for threat actors at this time,” Chris Morgan, senior cyber threat
intelligence analyst at Digital Shadows, told Threatpost. “Developing malware of
this nature takes a significant amount of time and effort.”
“This activity differs from the WannaCry incident, which saw a perfect storm of
a highly exploitable vulnerability coinciding with an NSA-level exploit breach
in EternalBlue,” Morgan added.
“It’s still very much early days with regards to Log4j,” Morgan said. “While
many threat actors will likely be at different stages of the kill chain, most
actors will likely still be scanning for susceptible systems, attempting to
establish a foothold, and identifying further opportunities, depending on their
motivations. Efforts among actors at this stage are rushing to exploit before
companies have a chance to patch, rather than spending time developing a worm.”
The emergence of a Log4j worm isn’t the worst-case scenario, researchers like
Yaniv Balmas from Salt Security explained to Threatpost.
“While not neglecting the impact of such a worm, that might not be the worst
scenario because of the unbelievable easiness that this attack can be applied,”
Balmas said. “Everyone with a basic computer and internet access could launch an
attack against millions of online services within minutes. This achieves quite a
similar impact as a worm – it is distributed and unpredictable, and the damage
extent might even be higher than a worm since a worm works ‘blindly’ in an
automated manner.”
He added, “in this other scenario, there are actual humans behind the attacks
which may target specific entities or institutions and enable attackers to
fine-tune their attacks as they progress.”
The tireless work being done by security teams to patch up Log4j against
exploits is a big help against the development of any worms on the horizon,
according to John Bambanek with Netenrich.
“This vulnerability certainly looks wormable, however, the good news is we’ve
already had almost a week to start dealing with detection, mitigation and
patching,” Bambenek told Threatpost. “There will be lots of vulnerable machines
out there, but by now a good deal of the vulnerable machines have been handled
and many more are protected with web application firewall (WAF) rules (for
instance, Cloudflare deployed protection over the weekend). The worst case would
have been a worm last week, we’re in a better place now.”
LOG4J’S LONG TAIL
Beyond emergency patching measures, Galinkin explained to Threatpost that his
concern is with lingering unpatched devices and systems that will be vulnerable
long after Log4j has fallen out of the headlines, particularly in sectors like
academia and healthcare.
“One crucial thing to note about this vulnerability is that it’s going to have
an extremely long tail,” he said. “Hospitals tend to purchase software once, but
sometimes the vendors become defunct — leading to unsupported software that will
never receive a patch.”
He added, “in academia, loads of software is written once by grad students or
professors, but those individuals may not be aware of the bug, or they simply no
longer maintain the software — software that is in use in physics, pharmacology
and bioinformatics. This suggests that we will continue to see exploitation of
this vulnerability — potentially in isolated incidents — long into the future.”
Check out our free upcoming live and on-demand online town halls – unique,
dynamic discussions with cybersecurity experts and the Threatpost community.
Write a comment
Share this article:
* Malware
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
MALICIOUS EXCHANGE SERVER MODULE HOOVERS UP OUTLOOK CREDENTIALS
“Owowa” stealthily lurks on IIS servers, waiting to harvest successful logins
when an Outlook Web Access (OWA) authentication request is made.
December 15, 2021
SAP KICKS LOG4SHELL VULNERABILITY OUT OF 20 APPS
SAP’s still feverishly working to patch another 12 apps vulnerable to the
Log4Shell flaw, while its Patch Tuesday release includes 21 other fixes, some
rated at 9.9 criticality.
December 15, 2021
APACHE’S FIX FOR LOG4SHELL CAN LEAD TO DOS ATTACKS
Not only is the jaw-dropping flaw in the Apache Log4j logging library
ubiquitous; Apache’s blanket of a quickly baked patch for Log4Shell also has
holes.
December 15, 2021
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* 2022: SUPPLY-CHAIN CHRONIC PAIN & SAAS SECURITY MELTDOWNS
December 14, 2021
* NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY
December 10, 2021
* NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2
December 8, 2021
* ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES?
December 6, 2021
* PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API
December 3, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
There’s a sea of unstructured data on the internet relating to the latest
#cybersecurity threats. Join Threatpost’s… https://t.co/y6ZfyTh5I0
5 days ago
NEXT 00:02 01:17 360p 720p HD 1080p HD Auto (360p) About Connatix V142603 Closed
Captions About Connatix V142603 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE