In early February, a cybercrime crackdown by Russian authorities included the arrest of members of the REvil gang. Overall, follow-up reports suggested a growing sentiment that the Russian authorities were out to optimize the appeasement value to the U.S. of the arrests. We later suggested that the REvil Gang arrest was possibly a false flag operation. Our suggested scenario at the time:  The Russians gave up the REvil Gang while still planning to lean on non-state actors for the plausible deniability of cyberwar operations. Our latter assumption has proven true.  A few days ago, the Conti Gang announced their support for the Russian Government.

In what felt like coordinated attacks last Friday, data-wiping malware (masquerading as ransomware) hit Ukrainian government organizations and was quickly followed by an aggressive unattributed cyber attack on Ukrainian government sites. The attacks prompted the release of a CISA Insights Bulletin urging U.S. organizations to strengthen their cybersecurity defenses. 

Following is an update of Log4Shell activities organized by nation-states – with non-state actors and cybercriminal organizations which are suspected to be state-affiliated or located in the country.

An up-to-the-minute summary of major Log4Shell incidents and mitigation activities – as reported by governmental agencies from around the world since the inception of the threat in December 2021.

Many OODA Loop members have had their nose to the grindstone right through the holiday season attending to the potential impacts of the Log4j and Log4Shell vulnerabilities within their organization.  Following is a ‘big picture’ update of CISA press releases, global incidents, and impacts for your review when you come up for air and need to assess more of the strategic challenge ahead with the vulnerability.

Researchers have detected a critical vulnerability in the H2 open-source Java SQL database that bears similarities to the Log4J vulnerability. However, this flaw does not pose a widespread threat. Researchers stated that the flaw opens the door for an adversary to execute remote code on vulnerable systems. H2 is attractive

In June of last year, Cox Media Group (CMG) IT systems and live streams were the targets of a ransomware attack. The Microsoft Threat Intelligence Center (MSTIC) has attributed the attack to an Iranian threat actor, codenamed DEV-0270, a group linked to multiple intrusions of US companies. The attack is part of larger trends in Iranian hacker activity globally identified by the MSTIC. This attribution is also one of many Log4Shell vulnerability headlines of the last three weeks, as DEV-0270 (also known as Phosphorus) exploited Log4Shell in Log4j for initial access to the CMG systems. 

Last week, the CISA released its own Log4j scanner alongside several others published by various cybersecurity companies and researchers. The open-sourced tool is derived from scanners created by other members of the community and is designed to help organizations determine if they have vulnerable web services affected by the critical

The Five Eyes intelligence allies – government agencies in the United States, United Kingdom, Australia, Canada, and New Zealand – issued a joint Cybersecurity advisory (CSA) days before the Christmas holiday, offering guidance for the Apache Log4j vulnerability worldwide.  Nation-states and ransomware gangs are already starting to exploit the vulnerabilities, including Log4Shell (part of the Log4j software library).

Relative to other cyber incidents in the last few months, Log4j is proving severely problematic. If you are in the middle of your impact and mitigation assessment, hands down the most important resource available is the webpage CISA launched yesterday to address the current Log4j activity. Per OODA CEO Matt Devost: “This is a great page and we should highlight that it exists for OODA Loop members.  CISA has done a great job here.” Log4j is also the first US-CERT notification to put front and center private sector collaboration through the newly formed DHS CISA Joint Cyber Defense Collaborative (JCDC).