Microsoft Warns of Continued Attacks Exploiting Apache Log4j Vulnerabilities

Microsoft is warning of continuing attempts by nation-state
adversaries and commodity attackers to take advantage of security vulnerabilities^[1] uncovered in the Log4j
open-source logging framework to deploy malware on vulnerable
systems.

“Exploitation attempts and testing have remained high during the
last weeks of December,” Microsoft Threat Intelligence Center
(MSTIC) said^[2]
in revised guidance published earlier this week. “We have observed
many existing attackers adding exploits of these vulnerabilities in
their existing malware kits and tactics, from coin miners to
hands-on-keyboard attacks.”

Publicly disclosed by the Apache Software Foundation on December
10, 2021, the remote code execution (RCE) vulnerability in Apache
Log4j 2, aka Log4Shell^[3], has emerged as a new
attack vector for widespread exploitation^[4]
by a variety of threat actors.

In the subsequent weeks, four more weaknesses in the utility
have come to light — CVE-2021-45046^[5], CVE-2021-45105^[6], CVE-2021-4104^[7], and CVE-2021-44832^[8]
— providing opportunistic bad actors with persistent control over
the compromised machines and mount an evolving array of attacks
ranging from cryptocurrency miners^[9]
to ransomware^[10].

Even as the mass scanning attempts are showing no signs of
letting up, efforts are underway to evade string-matching
detections by obfuscating the malicious HTTP requests orchestrated
to generate a web request log using Log4j that leverages JNDI to
perform a request to the attacker-controlled site.

In addition, Microsoft said it observed “rapid uptake of the
vulnerability into existing botnets like Mirai, existing campaigns
previously targeting vulnerable Elasticsearch systems to deploy
cryptocurrency miners, and activity deploying the Tsunami^[11] backdoor to Linux
systems.”

On top of that, the Log4Shell vulnerability has also been put to
use to drop additional remote access toolkits and reverse shells
such as Meterpreter^[12], Bladabindi^[13] (aka NjRAT), and
HabitsRAT^[14].

“At this juncture, customers should assume broad availability of
exploit code and scanning capabilities to be a real and present
danger to their environments,” MSTIC noted. “Due to the many
software and services that are impacted and given the pace of
updates, this is expected to have a long tail for remediation,
requiring^[15] ongoing, sustainable
vigilance.”

The development also comes as the U.S. Federal Trade Commission
(FTC) issued^[16] a warning that it
“intends to use its full legal authority to pursue companies that
fail to take reasonable steps to protect consumer data from
exposure as a result of Log4j, or similar known vulnerabilities in
the future.”