In the wake of the disclosure of a critical vulnerability in the widely used Apache Log4j logging software in December, many in the industry predicted that we would still be hearing about it for a long time to come.
They were correct.
It’s now been three months since the remote code execution (RCE) vulnerability in Log4j, known as Log4Shell (CVE-2021-44228), was first revealed. And we’re still learning more details about how attackers managed to exploit the flaw.
The latest revelation — coming today from Mandiant — was that a threat actor believed to operate out of China had exploited the vulnerability in Log4j “within hours” of an advisory about the flaw going out on December 10.
And here’s the most troubling part: The group succeeded at compromising the networks of “at least” six state governments in the U.S. in part through exploiting Log4j, Mandiant researchers said in a blog post. The states in question were not named by the company.
Along with Log4j, the threat actor also utilized a zero-day vulnerability (CVE-2021-44207) in USAHerds, an application used for tracking livestock diseases, according to Mandiant.
The Chinese threat actor, known as APT41, is a “prolific” state-sponsored group focused on espionage, Mandiant researchers said in the post. The exact goals of the group’s campaign against state governments “remain unknown,” the researchers said.
What is known, though, is that the group acted very fast when it came to the Log4j vulnerability.
“Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two U.S. state governments as well as their more traditional targets in the insurance and telecommunications industries,” the Mandiant researchers said.
Ongoing threat
Mandiant, which had a busy news day today, reported that the APT41 campaigns against U.S. state governments did not stop in December, either.
“In late February 2022, APT41 re-compromised two previous U.S. state government victims,” the researchers said — “demonstrating their unceasing desire to access state government networks.”
Thus, while there have been fewer cyberattacks of consequence leveraging the Log4j vulnerability than expected so far, it’s increasingly clear that we haven’t had the full picture.
And in all likelihood, the full extent of the damage will still be unknown for some time. For instance, attackers may be waiting for an opportune time to use the access they gained through breaching systems using Log4Shell.
Wake-up call
It also appears that many systems have still not been patched against the vulnerability. According to data from security vendor Qualys, 30% of Log4j instances continue to be vulnerable.
The pervasiveness of the Log4j logging software — and the fact that it’s often leveraged indirectly via Java frameworks — has made the issue difficult to fully address for many organizations.
The cyberattack disclosed by Mandiant today will hopefully serve as a wake-up call to some organizations, said Aubrey Perin, lead nation-state threat intelligence analyst at Qualys.
Additionally, it’s a reminder that “while all eyes have been diverted to Russia and Ukraine, there are still other threats that are present and must be closely watched,” Perin said.
Ultimately, the disclosure by Mandiant today “tracks with the typical time lapse we see with zero-day vulnerabilities like Log4Shell,” said Brian Fox, CTO at Sonatype.
“The Equifax breach, which was similar in nature, took around five months to clear the airwaves from the initial exploit,” Fox said. “So, from a historical perspective this isn’t surprising: a high-spread, low-complex vulnerability equals a 100% chance of being used.”
 
