Microsoft Warns of Continued Log4j Exploitation Attempts

January 10, 2022 - In an update to a previous blog post, Microsoft warned organizations in early January of continued Log4j exploitation attempts. The tech company urged organizations to remain vigilant and use scanning systems to detect unusual activity.

Apache Log4j is an open-source and extremely common Java framework used to enable logging features in applications. Because it is so widely used, the Log4j vulnerabilities are particularly threatening and could have catastrophic security consequences for healthcare and other sectors.

Researchers first discovered the remote code execution (RCE) vulnerabilities in November, but proof-of-concept exploit code has been circulating on social media recently, making it a more significant threat.

Microsoft has observed both nation-state actors and commodity attackers taking advantage of the vulnerabilities and expects expanded use of the vulnerabilities in the near future.

“The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers’ software and services,” Microsoft’s blog post stated.

“By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.”

Although there is a patch currently available, there are still many unknown implications of these vulnerabilities. In addition, it is notoriously difficult to apply the patch to legacy systems.

Microsoft observed high rates of exploitation attempts and testing during the final weeks of December. In addition, Microsoft found that many existing attackers added Log4j vulnerability exploits into their existing malware kits and tactics.

The majority of observed attacks so far have consisted of mass-scanning, establishing remote shells, red-team activity, and coin mining.

“Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” the post continued.

“Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”

The HHS 405(d) Task Group also recently issued a brief outlining the risks associated with the Log4j vulnerabilities and urged the healthcare sector to prioritize patching and mitigating risk. Many cloud applications that healthcare organizations use for EHR services, along with other outsourced security services, frequently use the Log4j software.

The 405(d) Task Group urged organizations to block inbound internet-based access to vulnerable products until patching is possible and secure all network entry points. If organizations cannot apply the patch on certain legacy systems, they should decommission the solutions or find other tools that provide the same log feature.

The Cybersecurity and Infrastructure Security Agency (CISA) is continuing to maintain a list of vendors and products that may be impacted by the vulnerabilities via GitHub.

“They represent potential attack vectors across an organization like medical equipment such as bedside monitors that monitor vital signs during an inpatient stay. Or, they may be more complicated, like infusion pumps that deliver specialized therapies and require continual drug library updates,” the 405(d) Task Group’s brief concluded.

“If an attacker gained access to the network through a vulnerability such as Log4j, they would be able to gain control of the software and could potentially disconnect devices from the network, therefore, causing a disruption to daily procedures and putting patient safety at risk.”