In a warning released on Thursday, the Netherlands National Cybersecurity Center (NCSC) says organizations should always be aware of the risks of Log4j attacks and remain vigilant for ongoing threats.
Although the consequences of recent incidents related to the exploitation of Log4Shell were “not too severe” as many organizations acted quickly to mitigate these critical vulnerabilities, the NCSC says threat actors are most likely still planning to breach new targets.
“Malicious parties are expected to continue searching for vulnerable systems and carrying out targeted attacks in the coming period,” the Dutch cybersecurity agency said.
“It is therefore important to remain vigilant. The NCSC advises organizations to continue to monitor whether vulnerable systems are in use and to apply updates or mitigations if necessary.
“In addition, the NCSC advises administrators to remain vigilant by learning about Log4j and the possible impact of abuse on business continuity.”
Log4j vulnerabilities (including Log4Shell) are a very attractive attack vector for financially motivated and state-backed attackers, given that the open-source Apache Log4j logging library is used in a wide range of systems from dozens of suppliers.
Log4Shell, in particular, can be exploited remotely on servers exposed to local or internet access to allow attackers to move laterally across a network until they reach sensitive internal systems.
After its disclosure, several threat actors began deploying Log4Shell exploits, including government-linked hacking groups in China, Iran, North Korea, and Turkey and access brokers used by security gangs. ransomware.
Log4j is still under active exploitation
The NCSC’s warning is timely, as several ongoing Log4j exploit alerts around the world have been issued by government and private organizations around the world.
For example, a report published by Microsoft on Wednesday mentions attempts by unknown malicious actors to propagate Log4j attacks on an organization’s internal LDAP servers by exploiting a zero-day SolarWinds Serv-U.
However, the attacks failed because the Windows domain controllers targeted in the incident were not vulnerable to Log4j exploits.
A week earlier, Microsoft warned of a Chinese threat actor being tracked as DEV-0401 using Log4Shell exploits on internet-exposed VMware Horizon servers to deploy Night Sky ransomware.
“As of January 4, attackers began exploiting the CVE-2021-44228 vulnerability in internet-connected systems running VMware Horizon,” Microsoft said.
“Our investigation shows that successful intrusions into these campaigns led to the deployment of NightSky ransomware.”
Microsoft’s reports were preceded by another alert issued by the UK’s National Health Service (NHS) on January 5 about attackers targeting VMware Horizon systems with Log4Shell exploits.