Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers. In this article we have compiled the known payloads, scans, and attacks using the Log4j vulnerability. Early Friday morning, an exploit was publicly released for a critical zero-day vulnerability dubbed ‘Log4Shell’ in the Apache Log4j Java-based logging platform. This vulnerability allows attackers to remotely execute a command on a vulnerable server simply by searching for or changing their browser’s user agent to a special string. Soon after, Apache released Log4j 2.15.0 to resolve the vulnerability, but threat actors had already started to scan for and exploit vulnerable servers to exfiltrate data, install malware, or take over the server.
DOJ gives Russian national two-year sentence for work shielding Kelihos malware and other ransomware
The Department of Justice sentenced 41-year-old Oleg Koshkin to two years in prison for his work in helping to “conceal” the Kelihos malware and other ransomware from antivirus software. He was facing up to 15 years in prison. According to the DOJ, Koshkin ran Crypt4U.com, Crypt4U.net, fud.bz and fud.re, websites that helped hackers evade “nearly every major provider of antivirus software.” The tools allegedly enabled malware like Kelihos and others to be undetectable. Koshkin was arrested in California in September 2019 and transported to Connecticut for his trial before being convicted in June on one count of conspiracy to commit computer fraud and abuse and one count of computer fraud and abuse.
New White House policy gives agencies 24 hours to assess cyberattacks of potential national security concern
The White House has enacted a new policy requiring the FBI and other agencies to help US officials quickly assess whether a cyberattack “rises to the level of a national security concern” that could hamper the provision of key services such as fuel or food, according to a National Security Council memo obtained by CNN and two US officials. The NSC memo in some cases gives US security and intelligence agencies just 24 hours after they learn of serious hacks to deliver initial assessments to senior White House officials on the severity of the situations. The goal is to more quickly determine whether a ransomware attack, for example, might affect multiple sectors of the economy — and if the government may need to mobilize backup supplies of commodities, as it prepared to do after a ransomware attack on a US pipeline operator in May.
Brazil’s health ministry said its website was hit on Friday by a hacker attack that took several systems down, including one with information about the national immunization program and another used to issue digital vaccination certificates. The government put off for a week implementing new health requirements for travelers arriving in Brazil due to the attack. “The health ministry reports that in the early hours of Friday it suffered an incident that temporarily compromised some of its systems … which are currently unavailable,” it said in a statement. Police said they were investigating the attack.
The cable and telecommunications provider Cox Communications has disclosed a data breach after a hacker was able to gain access to the personal information of its customers by impersonating a support agent. The company’s customers recently began receiving letters in the mail informing them that an unknown person or persons had impersonated a Cox support agent in order access customer information. Although few details about the extent of the data breach have been released at this time, the hacker likely employed social engineering as a means to gain access to Cox’s internal systems. Once the company learned that a hacker had impersonated one of its support staff, it immediately launched an internal investigation into the matter and notified law enforcement of the incident.
While a public proof-of-concept code was released last Thursday, attacks exploiting the Log4Shell vulnerability started two weeks ago. The first attacks were observed on December 1 and December 2, according to Cloudflare and Cisco Talos, respectively. Although mass exploitation started over the weekend, this revelation means that security teams need to broaden their incident response investigations and check for signs of possible exploitation against their networks to the start of the month, just to be on the safe side. Currently, attacks abusing the Log4Shell vulnerability are still tame—if the word can even be used to describe the abuse of a security flaw. The vast of attacks have originated from professional crypto-mining and DDoS botnets, such as Mirai, Muhstik, and Kinsing, which are typically the first to exploit any meaningful enterprise bug before everyone else.