Microsoft: Log4j exploits extend past crypto mining to outright theft

Hear from CIOs, CTOs, and other senior and C-level executives on AI data and strategy at the Future of Work Summit on January 12, 2022. Learn more

Microsoft said Saturday that exploits so far of Apache’s critical Log4j vulnerability, known as Log4Shell, extend beyond cryptocurrency mining and into more serious territories, such as credential and data theft.

The tech giant said its threat intelligence teams have been tracking attempts to exploit the remote code execution (RCE) vulnerability that was revealed late Thursday. The vulnerability affects Apache Log4j, an open source log library widely deployed in cloud services and business software. Many applications and services written in Java are potentially vulnerable.

More serious feats

Attacks that take over machines to mine cryptocurrencies like Bitcoin, also known as cryptojacking, can lead to slower performance.

However, in addition to coin mining, the Log4j vulnerabilities that Microsoft has seen so far include activities such as credential theft, lateral movement, and data exfiltration. In addition to providing some of the largest cloud platforms and services used by businesses, Microsoft is a major cybersecurity provider in its own right with 650,000 security customers.

In its mail On Saturday, Microsoft said that “at press time, the vast majority of the activity observed has been scanning, but mining and post-mining activities have also been observed.”

In particular, “Microsoft has observed activities that include the installation of coin miners, Cobalt Strike to allow credential theft and lateral movement, and the extraction of data from compromised systems,” the company said.

Microsoft did not provide further details on any of these attacks. VentureBeat has contacted Microsoft for updated information.

According to a mail Since Netlab 360, attackers have leveraged Log4Shell to deploy malware, including Mirai and Muhstik, two Linux botnets used for crypto mining and distributed denial of service (DDoS) attacks.

Behavior-based detection

In response to the vulnerability, Microsoft said security teams should focus on more than just preventing attacks, and should also look for indicators of an exploit using a behavior-based detection approach.

Because the vulnerability of Log4Shell is so broad and mitigations take time to implement in large environments, “we encourage advocates to look for signs of post-exploitation rather than fully relying on prevention,” the company said in its post. “Observed post-exploitation activity, such as coin mining, lateral movement, and Cobalt Strike, are detected with behavioral-based detections.”

Cobalt Strike is a legitimate penetration testing tool that is commercially available, but cybercriminals have increasingly taken advantage of the tool, according to a recent report. report by Proofpoint. Usage of Cobalt Strike by threat actors increased 161% in 2020, year-over-year, and the tool has been “showing up in Proofpoint threat data more often than ever” in 2021, the company said.

As for Microsoft’s own products that may have vulnerabilities due to the use of Log4j, the company has said that it is investigating the problem. In a separate blog post On Saturday, Microsoft’s Security Response Center wrote that its security teams “have been conducting active research of our products and services to understand where Apache Log4j can be used.”

“If we identify any impact on the customer, we will notify the affected party,” the Microsoft post reads.

Repairing the defect

The Log4Shell vulnerability has affected Apache Log4j version 2.0 to version 2.14.1, and organizations are encouraged to upgrade to version 2.15.0 as soon as possible. Providers included Cisco, VMware, Y Red Hat have issued advisories on potentially vulnerable products.

“One thing to keep in mind about this vulnerability is that you can be at risk without even knowing it,” said Roger Koehler, vice president of threat operations at the managed detection and response company. Huntress, in an email. “Many business organizations and the tools they use may include the included Log4j package, but that inclusion is not always obvious. As a result, many enterprise organizations are at the mercy of their software vendors to patch and update their proprietary software as appropriate. “

However, vendors must develop and implement patches for software products, and then companies need more time to test and implement the patches. “The process can end up taking a long time before companies have patched their systems,” Koehler said.

Meanwhile, to help reduce risk, solutions for security teams have begun to emerge.

Possible workaround

A tool, developed by researchers at security provider Cybereason, disables the vulnerability and allows organizations to stay protected while updating their servers, according to the company.

After implementing it, any future attempts to exploit the Log4Shell vulnerability will not work, said Yonatan Striem-Amit, Cybereason’s co-founder and CTO. The company has described the solution as a “vaccine” because it works by exploiting the Log4Shell vulnerability itself. It was released free Friday afternoon.

Still, no one should see the tool as a “permanent” solution to addressing the vulnerability in Log4j, Striem-Amit told VentureBeat.

“The idea is not that it is a long-term solution,” he said. “The idea is that you buy yourself time to go now and apply best practices: patch your software, roll out a new version, and all the other things necessary for good IT hygiene.”

Generalized vulnerability

The Log4Shell vulnerability is considered very dangerous due to the widespread use of Log4j in software and because the flaw is considered quite easy to exploit. Ultimately, the RCE flaw can allow the attacker to access and control devices remotely.

Log4Shell is “probably the most important [vulnerability] in a decade ”and it may end up being“ the greatest of all time, ”Tenable CEO Amit Yoran said Saturday. On twitter.

According to W3Techs, an estimated 31.5% of all websites run on Apache servers. The list of companies with vulnerable infrastructure reportedly includes Apple, Amazon, Twitter, and Cloudflare.

“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge for network advocates given their widespread use,” said Jen Easterly, director of the Federal Agency for Infrastructure Security and Cybersecurity ( CISA), in a statement. posted on Saturday.


VentureBeat’s mission is to be a digital urban plaza for technical decision makers to gain insight into transformative technology and transact. Our site offers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • updated information on the topics of your interest
  • our newsletters
  • Exclusive content from thought leaders and discounted access to our treasured events, such as Transform 2021: Learn more
  • network features and more

Become a member

Leave a Comment