NHS digital cyber team has alerted of Log4Shell attacks on VMware software. The cyber alert service says an unknown threat group targeted the unpatched Horizon systems in order to establish a presence within affected networks. If successful, attackers could steal data or deploy ransomware. This isn’t good timing as NHS just like other health care systems worldwide are being overwhelmed by the Omicron variant of COVID. Though when is it a good time to get pwned.
I have two comments on this. The first is from Albert Zhichun Li, VP of Engineering of Stellar Cyber:
“Overall, Log4j vulnerabilities are relatively easy to exploit and not too hard to defend. The bar is low, and any attacker is capable of using Log4Shell. Every vendor needs to scan their potential java components, especially web services, in this case Tomcat, and offer urgent patches. All businesses need to keep security hygiene by patching the service or restricting the access.”
The second comment is from Saryu Nayyar, CEO and Founder, Gurucul:
“As we have seen over the past 30days, the Log4J vulnerability continues to be a challenge as new exploits are developed, making it essential to detect the threat activity both as the vulnerability is exploited or as attackers have successfully inserted themselves in an environment. Static signatures and rule-based ML must be constantly updated for certain variants to be detected. Dynamic and adaptable behavioral analytics that prioritize and escalate the specific anomalous activity attempting to exploit Log4j is the best approach to determining whether a new or unknown attack is actively attempting to compromise systems based on Log4j or execute a campaign post-initial compromise.”
Log4j/Log4Shell is the one thing that is making life miserable for sysadmins everywhere. The best way for them to put themselves out of their misery is to ensure all the thing are patched, and then double check to make sure all the things are patched.
UPDATE: I got additional commentary from Stephanie Simpson who is the VP Product Management of SCYTHE
Ransomware gangs, like CONTI, will continue to try to use Log4Shell vulnerabilities, especially as companies need to continue product development in the aftermath of this vulnerability being discovered. To protect customers from these new TTPs, companies need to test and validate there are no holes in the software before it is pushed to production.