According to John Hultquist, VP of Intelligence Analysis, Mandiant, Iranian state hackers are specifically aggressive with this Log4j vulnerability.
Cybersecurity firms Mandiant and CrowdStrike have confirmed that Iranian and Chinese state threat actors are exploiting the recently discovered Log4j or Log4Shell vulnerability, and many other actors are planning to exploit it.
Some reports suggest that North Korean and Turkish hackers are also using Log4j vulnerability for malicious purposes.
A lot of cyber folks have been predicting that state-sponsored hackers would exploit log4j, and last night attributions started dropping. Mandiant seeing China and Iran using it; Microsoft seeing those plus North Korea and Turkey.
— Kevin Collier (@kevincollier) December 15, 2021
What is Log4j?
The high severity Log4j vulnerability made headlines last week. It took the cybersecurity world by storm as researchers shared doubts that ransomware attacks may surge as threat actors would start to exploit it.
It is a critical RCE (remote code execution) flaw in the commonly used Java-based logging tool Apache Log4j. The vulnerability, tracked as CVE-2021-44228, was discovered in November and patched on 6 December.
However, exploitation of Apache Log4j started as early as 1 December, and wide-scale attacks were observed from 9 December onwards after proof-of-concept exploits surfaced on the web.
According to the intelligence analysis vice president at Mandiant, John Hultquist, threat actors are quickly working to create footholds in “desirable networks for follow-on activity, which may last for some time.”
Hultquist noted that in some cases, the threat actors might use a “wish list of targets” that could be selected after extensive targeting. He added that Iranian state hackers are specifically aggressive with this flaw and want to participate in ransomware operations designed to cause widespread disruption instead of financial gains.
“They are also tied to more traditional cyber espionage,” Hultquist observed. However, the company didn’t disclose the names of the Iranian and Chinese state actors linked with Log4j exploitation.
“We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well or preparing to,” Hultquist said.
“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity that may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting,”Hultquist warned.
“The Iranian actors who we have associated with this vulnerability are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain. They are also tied to more traditional cyber espionage,” Hultquist concluded.
The senior vice president of intelligence at CrowdStrike, Adam Meyers, stated that Irani state-backed Nemesis Kitten has recently deployed a server-class file that Log4j can trigger.
Considering the intent, timing, and capability of this deployment, it becomes apparent that they are trying to exploit the Log4Shell vulnerability. It is worth noting that CrowdStrike previously identified destructive and disruptive attacks from Nemesis Kitten.