Description

The Dutch National Cybersecurity Centre (NCSC) issued a warning on January 20, 2022, stating that companies should be aware of the threat associated with Log4j attacks and stay alert for ongoing threats. Despite the fact that the fallout from recent Log4Shell exploitation incidents was "not too bad" because many organizations acted quickly to address these critical vulnerabilities, the NCSC predicts that malicious parties will continue to look for vulnerable systems and launch targeted attacks in the coming months. Given that the open-source Apache Log4j logging library is utilized in a wide range of systems from dozens of manufacturers, Log4j vulnerabilities (particularly Log4Shell) are a very enticing attack vector for both financially motivated and state-backed attackers and can be leveraged remotely on servers exposed to local or Internet access to allow attackers to move laterally through a network until they reach sensitive internal systems. For instance, as per a Microsoft study released on Jan 19th 2022, unknown threat actors attempted to spread Log4j attacks to an organization's internal LDAP servers by attacking a SolarWinds Serv-U zero-day. The attacks failed, however, since the Windows domain controllers targeted were not vulnerable to Log4j flaws. Microsoft has previously warned about a Chinese threat actor known as DEV-0401 deploying Night Sky ransomware using Log4Shell vulnerabilities on Internet-exposed VMware Horizon systems.