Unknown Attackers Leveraged Log4J Vulnerability

The Belgian defence ministry has confirmed that some of its networks have been hit by a cyber attack, launched by as-yet unidentified actors, which leveraged recently-discovered errors in the widely used software Log4j.

“[The ministry] discovered an attack on its Internet-enabled computer network on Thursday [16 December],” MoD spokesperson Olivier Séverin told news agencies. “Rapid quarantine measures were taken to isolate the affected parts. Our teams have been mobilised throughout the weekend to keep the problem under control, continue our activities and warn our partners. The priority is to keep the defence network operational.”

Log4j is an open-source library used widely by developers to keep records of the activity within their software. Almost all software has development logs and Log4j is a common tool used to carry out this task. A vulnerability in Log4j, called LOG4SHELL (or, formally, CVE-2021-4428), was discovered early in December. The vulnerability is relatively easy to exploit, and can give attackers the ability to steal passwords and credentials, exfiltrate data, and place malware on targeted systems.

Although patches that prevent LOG4SHELL being exploited have been released, Log4j’s widespread deployment means that many systems will include it without users being aware, so may not realise that patching is required for their systems. The UK’s National Cyber Security Centre says LOG4SHELL is “potentially the most severe computer vulnerability in years.”

On 15 December, the Israeli cybersecurity firm Check Point Software Technologies attributed LOG4SHELL exploit attacks against seven targets in Israel to the hacking group APT 35, also known as CHARMING KITTEN. The target entities were not identified but Check Point’s blog post described them as “from the government and business sector“. The company noted the attacks were blocked, and that communication between a server used by APT 35 and the Israeli targets was observed.