Nation-states such as Iran, China and North Korea are actively looking for ways to exploit the Log4Shell software vulnerability.

NCA’s Lisa Plaggemier

That’s according to Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance (NCA). Last week, researchers discovered a zero-day exploit in the popular Java logging library log4j. It results in remote code execution (RCE) by logging a certain string.

UKG, the parent company of human resources management company Kronos, has been hit with ransomware. Although the company isn’t confirming it, reports suggest the ransomware attack exploited the Log4Shell software vulnerability.

Thousands of applications, libraries and frameworks use log4j.

CloudFlare, Minecraft, SMBs Impacted

“Unfortunately, the ramifications of this vulnerability have proven to be just as far-reaching as many had anticipated,” Plaggemier said. “Businesses ranging from Apple’s CloudFlare and Minecraft to SMBs have all been impacted by this vulnerability, and are working incredibly rapidly to patch it. The good news is that Apache has made a patch readily available. And many companies including IBM, AWS and many others, have been keeping their customers apprised of progress around the situation. However, this has certainly been incredibly concerning for those impacted and is definitely a black eye for such a widely used and trusted tool.”

On its website, CloudFlare urges any customers using log4j to update to version 2.16.0 as soon as possible.

“To make matters worse for those affected, it has been uncovered that nation-states such as Iran, China and North Korea, have all begun looking into ways to exploit this vulnerability – if they haven’t already,” Plaggemier said. “And regrettably it seems that this could only be the tip of the iceberg as cybercriminals look for similar vulnerabilities in related tools.”

From a timing perspective, the discovery of the Log4Shell software vulnerability could not have come at a worse time, she said.

“With the typical surge of online shopping around the holidays, paired with the ongoing fallout of the COVID-19 pandemic and the supply chain gridlock, another disruption is the last thing businesses need right now,” Plaggemier said. “Therefore, it is really important that Apache continues to do everything it possibly can to get patches installed as quickly as possible.”

Long-Play Vulnerability

Sophos’ Sean Gallagher

Sean Gallagher is senior threat researcher at Sophos.

“We are tracking attempts, but we have no specific information on victims of the exploit working at this time,” he said. “This is a long play vulnerability, and we may not know who was affected for weeks or months.”

There are indications from other sources that some advanced persistent threats (APTs) have been trying to use the exploit, Gallagher said.

This is a vulnerability that would lend itself to espionage or state-sponsored attacks, he said.

Sophos sees the number of overall probes going down, Gallagher said. But that’s likely the result of reduced mass-scanning and more targeted attempts.

“The danger remains the same,” he said. “If you’ve checked and found your Java-based server applications are currently not vulnerable, but you’re running the previous version of log4j 2.x, you need to determine if you patched it or if an external actor did after exploiting it.”

There’s already been previous patterns of ransomware during the holidays, Gallagher said.