The Dutch National Cybersecurity Centre (NCSC) issued an alert on Thursday, saying that companies should be aware of the dangers associated with Log4j attacks and keep watchful for ongoing threats. Even though the fallout from recent Log4Shell exploitation instances was “not too bad” since many businesses rushed to remediate these critical vulnerabilities, the NCSC believes that threat actors are still preparing to breach new targets.
“It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period,” the Dutch cybersecurity agency said. “It is therefore important to remain vigilant. The NCSC advises organizations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary.” Furthermore, the NCSC recommends directors to be vigilant by learning about Log4j and the potential impact of exploitation on business continuity.
Log4j flaws (including Log4Shell) constitute an exciting attack vector for both financially motivated and state-backed attackers, given that dozens of vendors in various systems use the open-source Apache Log4j logging library. Mainly, Log4Shell may be used remotely on servers with local or Internet connectivity to allow attackers to traverse laterally through a network until they reach critical internal systems. Several threat actors, including cyber organizations affiliated with governments in China, Iran, North Korea, and Turkey, as well as access brokers used by ransomware gangs, began using Log4Shell vulnerabilities after it was made public.
The NCSC’s warning comes at a good time, given that government and private groups throughout the world have issued many alerts on ongoing Log4j exploitation. For example, a recently released Microsoft study reveals that unknown threat actors attempted to spread Log4j attacks to an organization’s internal LDAP servers by attacking a SolarWinds Serv-U zero-day. However, the attacks ended in failure since the Windows domain controllers targeted were not subject to Log4j flaws.
Microsoft previously warned about a Chinese threat actor known as DEV-0401 deploying Night Sky ransomware using Log4Shell vulnerabilities on Internet-exposed VMware Horizon systems. Before Microsoft’s announcement, the UK’s National Health Service (NHS) issued a warning on January 5 regarding attackers using Log4Shell vulnerabilities to target VMware Horizon systems.