Multiple Nation-State actors are exploiting Log4Shell flaw


China, Iran, North Korea and Turkey’s nation-state actors are trying to exploit log4shell vulnerability in the attacks.
Microsoft researchers said that the nation-state actor of China, Iran, North Korea and Turkey are now misusing Log4shell (CVE-2021-44228) in the Log4J Library in their campaigns. Some groups who exploited vulnerability are phosphorus related to China and Iran, which is using defects to attack former group virtualization infrastructure, which is later deployed to Ransomware.

“MS TIC has also seen CVE-2021-44228 vulnerability used by many tracked nation-state activity groups generated from China, Iran, North Korea and Turkey. This activity is used during development, wild payload The integration of vulnerability for deployment, and exploitation against goals to achieve the objectives of the actor. “Reads guidance published by Microsoft.

“For example, MSTIC has seen a Iranian actor who is deploying Ransomware, completing the amendment of acquisition and Log4J exploitation. We assess that phosphorus operated these amendments. Apart from China, a hazard actor group Hafnium has been seen using vulnerability to attack Virtualization Infrastructure to increase its general targeting. In these attacks, HFanim-Associated System usually celebrates using a DNS service. Those who were usually connected to test activity in the fingerprint system. ”

CVE-2021-44228 LOG4J LOG4SHELL
Microsoft experts have also said that multiple access brokers have started using Log4shell vulnerability to get initial access to the targeted network and then it has sold Ransomware-AS-A-service colleagues.

Most traffic seen by Microsoft is linked to large scale scanning for weak systems organized by both dangerous actors and security researchers. IT Giant reported the rapid increase of log 4 shell vulnerability in existing boton, in which there was a purpose of Bot Linux and Windows System, including murai and tsunami backdoor.

“Microsoft has continued to inspect the malicious activity that leak data through vulnerability without leaving a payload. This attack landscape can be particularly impressive against network devices, which has SSL termination, where actor mystery And can leak the data. “Microsoft is continuing.

Microsoft warns the exploitation on non-Microsoft Hosted Minecraft Server and minecraft urges to run their server to run their server to deploy the latest Minecraft Server Updato.
Microsoft also confirmed that the exploitation of Log4Shell to deploy Khonsari Ransomware as recently discussed by bit Defender. Microsoft Defender Antivirus detected a small number of attacks related to minecraft clients introduced from Minecraft customers to be introduced from Minecraft customers connected to the compromised Minecraft customers connected to the Logificed Minecraft server through the use of a third party minecraft mode loader.

“In these cases, an opponent sends a malicious in-game message on a weak minecraft server, which exploits CVE-2021-4422 to recover and execute attacker-hosted payloads on the server and connected weak customers. We looked forward to a malicious Java class file which is executed to ransom the device in the context of Javaw.exe, which is then executed. “Microsoft concludes.