ipopba - stock.adobe.com
HC3: Healthcare Adversaries Are Actively Leveraging Log4j Vulnerabilities
HC3 issued a detailed brief regarding Log4j vulnerabilities, which are being actively exploited by known healthcare adversaries.
The Health Sector Cybersecurity Coordination Center (HC3) issued a brief outlining the history and current status of the Log4j vulnerabilities, which known healthcare adversaries are actively exploiting.
United States entities have experienced the highest rates of exploitation attempts, accounting for 43 percent of all attempts, the brief noted. Healthcare organizations should prioritize patching. There have been no significant compromises in the health sector to date, but healthcare organizations should remain vigilant.
History of Log4j vulnerabilities
Apache Lof4j is an extremely common Java-based logging tool. Logging frameworks essentially collect and store any messages or events that occur in any application, allowing for future analysis and event management.
Log4j is a popular open-sourced logging framework, maintained by Apache, that is often used in conjunction with cloud services. Alibaba researchers reported the Log4Shell vulnerability in late November 2021, HC3 stated.
The Log4Shell vulnerability (CVE-2021-44228) is a critical vulnerability that allows for remote code execution (RCE), which could enable zero-day attacks and other cyber incidents. HC3 said that the first known exploitation of Log4Shell occurred on December 1, 2021.
Exploitation began when proof-of-concept exploit code was posted on GitHub, making it a widely known vulnerability among threat actors. On December 13, researchers discovered a second vulnerability (CVE-2021-45046) in the Log4j 2.15.0 version, which was released earlier that month.
The second vulnerability may allow for denial of service (DoS) attacks, HC3’s brief explained. Apache released a patch shortly after, and the Cybersecurity and Infrastructure Security Agency (CISA) gave federal government agencies 10 days to patch it. CISA subsequently launched a webpage dedicated to Log4j vulnerabilities.
Since that time, researchers have discovered 4 additional vulnerabilities, some of which were patched in updated versions. Microsoft warned of continued exploitation attempts, which continue to ramp up as organizations rush to patch systems.
Who is exploiting Log4j vulnerabilities?
HC3 reported that China-based cyber threat actor HAFNIUM has been repeatedly exploiting the vulnerability to attack virtualization infrastructure, and China-based Aquatic Panda has used Log4Shell to obtain credentials.
In Iran, Microsoft reported, a cyber threat actor known as PHOSPHOROUS has deployed ransomware using a modified version of Log4j, and APT35 is continually scanning systems that may be vulnerable to Log4Shell.
HC3’s research also credited Microsoft, Mandiant, and SecurityScorecard with discovering adversaries in Turkey, North Korea, and Russia who have been exploiting Log4Shell.
In addition, HC3 warned that Conti ransomware, a group that is known to target healthcare organizations, has been leveraging these vulnerabilities.
Mitigation tactics
HC3 provided numerous resources in its brief for healthcare organizations to consult as they grapple with Log4j vulnerabilities.
These resources included:
In the short term, healthcare organizations should make sure that their systems are patched and continually scan networks for suspicious activity. For long-term solutions, organizations should look into enhancing their cyber defense programs, HC3 advised.
Specifically, HC3 recommended focusing on asset inventory, vulnerability management, defense in depth, software bill of materials (SBOMs) implementation, and resilience.