If you have not yet applied the Log4j security patches, you can consider that your network is compromised, have just alerted in a joint security note the CISA, the American agency of cybersecurity, and the FBI, the main service US federal law enforcement agency.
This story highlights the serious problem that #Log4j vulnerability continues to represent to governments and industry, which is why it was the right decision to have it be the subject of our inaugural Cyber Safety Review Board investigation https://t.co/zckpZ9yD7W
— Dmitry Alperovitch (@DAlperovitch) November 17, 2022
Installation of a cryptominer
This alert has just been published following an investigation into a computer attack. The target, which has not been disclosed, is described as a federal organization. After investigation, hackers allegedly entered the network by exploiting an unpatched Log4j vulnerability in a VMware Horizon server.
Besides installing cryptomining malware, the attackers stole usernames and passwords. CISA linked the computer attack to a group of hackers working on behalf of the Iranian government.
The warning comes nearly a year after the discovery of the Log4j vulnerability, and the call for organizations to apply patches or mitigations. This cybersecurity breach had been described by CISA chief Jen Easterly as “one of the most serious sightings in my entire career, if not the most serious”.
Flaw discovered in December 2021
In France, the state cyberfirefighter, Anssi, had alerted in mid-December to the risks of the Log4Shell security flaw, “actively exploited” by attackers. The Belgian Ministry of Defense indicated a few days later that it had been targeted by a cyberattack using this flaw.
The CVE-2021-44228 vulnerability is in the widely used Apache Log4j Java logging library. If successfully exploited, the flaw allows attackers to execute code remotely and gain access to machines.
Log4j is embedded in a wide range of enterprise software applications, services, and tools written in Java and used by organizations around the world, many of which have been rushing to apply patches.
Organizations still vulnerable
But despite urgent messages about applying critical security updates, some still haven’t, which means they’re still vulnerable to cybercriminals and other malicious hackers looking to exploit Log4j.
This explains the warning from the CISA and the FBI to organizations that have not applied the patches, enjoined to assume a possible compromise of their information systems. If an intrusion is detected, organizations should also check to see if attackers were able to further penetrate the network by auditing accounts with high-privilege access.
Mitigation measures include updating VMware Horizon systems and affected access gateways, as well as all other software. Likewise, the use of strong passwords and multi-factor authentication are recommended.