Last month, several remote code execution (RCE) vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) were reported in Apache Log4j, a widely used open-source component used by many software and services. These vulnerabilities led to widespread exploitation including mass-scanning, coin mining, establishing remote shells, and red-team activity. On December 14th, Apache Log4j 2 team released Log4j 2.16.0 to fix these vulnerabilities. Until the patch is applied, all the existing Apache Log4j running servers will be potential target for hackers.
Microsoft recently updated its guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. According to Microsoft, attackers are actively exploiting Log4j vulnerabilities and the exploitation attempts have remained high during the last weeks of December. Microsoft mentioned that many existing attackers added exploits of these vulnerabilities in their existing malware kits and tactics and there is high potential for the expanded use of the Log4j vulnerabilities.
Microsoft published the following guidance for customers:
- Customers are encouraged to utilize scripts and scanning tools to assess their risk and impact.
- Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities.
- Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered.
- Customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.
- Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.