Two years after disclosing the Log4Shell vulnerability (CVE-2021-44228), a critical remote code execution (RCE) flaw in the open-source Java logging utility Log4j continues to pose a significant threat. Despite widespread patching efforts, nearly one in four applications still rely on outdated Log4j libraries, rendering them susceptible to exploitation.
Notably, the Lazarus hacking group has initiated a new cyber campaign called “Operation Blacksmith,” targeting manufacturing, agriculture, and physical security companies globally. Exploiting the Log4Shell vulnerability, the group employs three previously unseen malware families coded in the rarely used D programming language:
- NineRAT: A remote access trojan (RAT) communicates via the Telegram API for command and control, data exfiltration, and persistence.
- DLRAT: This trojan and downloader serve to introduce additional payloads and collect system information.
- BottomLoader: Functioning as a downloader, it fetches and executes payloads, establishes persistence, and exfiltrates files.
Over 38% of applications using Log4j remain vulnerable to security issues, including the critical Log4Shell exploit (CVE-2021-44228). This unauthenticated RCE flaw permits attackers to completely control systems utilizing vulnerable Log4j versions (2.0-beta9 through 2.15.0).
Impact:
- Successful exploitation could allow attackers to control affected systems remotely, steal data, deploy malware, or disrupt operations.
- Even patched versions of Log4j (2.17) are vulnerable to another RCE bug (CVE-2021-44832).
- EOL versions of Log4j are susceptible to seven high and critical-rated vulnerabilities, including Log4Shell.
- Exploited systems can face operational disruptions, data theft, and compromised credentials.
Who is Affected?
- Applications and systems using Log4j versions 2.0-beta9 through 2.15.0 (pre-2015 EOL versions) are directly vulnerable to Log4Shell.
- Applications using Log4j 2.17 are vulnerable to CVE-2021-44832.
- Organizations unaware of their open-source software dependencies are at increased risk.
- Manufacturing, agriculture, and physical security companies are the primary targets, but any organization using vulnerable Log4j is at risk.
Remediation:
- Update Log4j to the latest patched version:
- Log4j 2.17.1 (Java 8)
- Log4j 2.13.4 (Java 7)
- Log4j 2.3.2 (Java 6)
- Implement Software Composition Analysis (SCA) tools to identify and track vulnerable libraries.
- Train developers on secure coding practices and open-source software security risks.
- Limit public exposure of VMware Horizon servers and restrict access with strong authentication.
- Monitor systems for suspicious activity and implement intrusion detection/prevention systems.
How Can Accorian Help:
- Quick Detection Scan: Accorian can offer a quick detection scan to identify potential Log4Shell vulnerabilities within your systems.
Furthermore, Accorian offers a range of security solutions to help you mitigate the risk of Log4Shell and other cyber threats:
- Vulnerability Assessment and Penetration Testing: Identify and remediate vulnerabilities in your systems, including Log4j.
- Security Information and Event Management (SIEM): Monitor your network for suspicious activity and detect potential breaches.
- Incident Response: Respond to cyberattacks quickly and effectively to minimize damage.
Source: https://www.scmagazine.com/news/lazarus-group-uses-novel-malware-in-latest-log4j-campaign
Contact us to schedule a scan and discuss your specific security needs.
For any further assistance, kindly reach out to us on info@accorian.com
Threat Advisory
Team Accorian