The critical Apache Log4j 2 vulnerability is paving the way for state-sponsored hackers to steal data and launch ransomware attacks, according to Microsoft.
On Tuesday, the company warned it had observed nation-state hacking groups from China, Iran, North Korea, and Turkey trying to exploit the Log4j 2 flaw. Their activites include experimenting with the bug and abusing the flaw to drop malicious payloads and extract data from victims.
According to Microsoft, an Iranian hacking group, dubbed Phosphorus or Charming Kitten, has allegedly been exploiting Log4j 2 to spread ransomware. A separate group from China called Hafnium has been observed leveraging the vulnerability to help it target potential victims.
“In these attacks, Hafnium-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems,” Microsoft said.
The vulnerability is raising alarm bells because Apache’s Log4j 2 software is used across the internet industry as a tool to log changes in a software or web application. By exploiting the flaw, a hacker can break into an IT system to steal data or run a malicious program. Not helping the problem is how the flaw is trivial to set up, making it all too easy for anyone to exploit it.
The report from Microsoft underscores the need for the entire tech industry to patch the flaw before mayhem ensues. The company didn’t identify the state-sponsored hacking groups from North Korea or Turkey. But Microsoft added that other cybercriminal groups, called “access brokers,” have been spotted exploiting the Log4j 2 bug to gain a foothold into networks.
Recommended by Our Editors
“These access brokers then sell access to these networks to ransomware-as-a-service affiliates,” Microsoft said. “We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.”
Other cybersecurity companies, including Mandiant, have also spotted state-sponsored hacking groups from China and Iran targeting the flaw. “We anticipate other state actors are doing so as well, or preparing to,” said Mandiant VP of Intelligence Analysis John Hultquist. “We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time.”
Like What You're Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba