Threat actors, including at least one nation-state actor, are attempting to exploit the recently exposed Log4j vulnerability to spread ransomware, remote access trojans, and web shells on vulnerable systems. All the while, organizations keep downloading versions of the registry tool that contains the vulnerability.
This new attack activity represents a kind of escalation from the attackers’ initial exploit attempts, which mainly focused on taking down crypto-mining tools and hacking systems with the aim of adding them to the botnet. Target systems include servers, virtual machines, computers, and IP cameras.
CrowdStrike said on Tuesday that it had observed steps taken by a nation-state representative suggesting an interest in exploiting the flaw.
“CrowdStrike Intelligence has observed that the state-sponsored representative NEMESIS KITTEN—based outside Iran—recently publishes to a class file server that can be run by Log4j,” says Adam Myers, Senior Vice President of Intelligence at CrowdStrike. “The timing, intent, and ability correspond to what an opponent trying to exploit Log4j could be,” he adds. Myers describes NEMESIS KITTEN as an opponent who has previously participated in both disruptive and destructive attacks.
The latest developments are adding to organizations’ urgency to update the new version of the Log4j Logging Framework released by the Apache Foundation on December 10, or to implement their recommended mitigation measures, security experts said this week.
Read the full article on dark reading