Microsoft has warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j ‘Log4Shell’ flaw through December.
Disclosed by the Apache Software Foundation on December 9, Log4Shell will likely take years to remediate because of how widely the error-logging software component is used in applications and services.
Microsoft warns that customers might not be aware of how widespread the Log4j issue is in their environment.
Over the past month, Microsoft has released numerous updates, including to its Defender security software, to help customers identify the issue as attackers stepped up scanning activity.
“Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) said in a January 3 update.
Microsoft said customers should “assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.” Hence, it’s encouraging customers to utilize scripts and scanning tools to assess their risk and impact.
“Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” Microsoft added.
The flaw likely left some security teams without much of a break over Christmas and prompted warnings from the UK’s NCSC to beware of burnout among staff responsible for remediation.
Just ahead of New Year’s Day, Microsoft rolled out a new Log4j dashboard for threat and vulnerability management in the Microsoft 365 Defender portal for Windows 10 and 11, Windows Server, and Linux systems. This system aims to help customers find and fix files, software and devices affected by Log4j vulnerabilities. CISA and CrowdStrike also released Log4j scanners ahead of Christmas.
CISA officials believe hundreds of millions of devices are affected by Log4j. Meanwhile, major tech vendors such as Cisco and VMware continue to release patches for affected products.
The Log4Shell vulnerabilities now include the original CVE-2021-44228 and four related flaws, the latest of which was CVE-2021-44832. However it was only a moderate severity issue addressed in the Log4j version 2.17.1 update on December 28. The Apache Software Foundation has details about each of the Log4j vulnerabilities in its advisory covering CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046.