IT and security professionals should continue to be vigilant and look for signs of vulnerable versions of Log4j as exploitation attempts stretch into a second month, Microsoft warns.
According to an update to a running Microsoft security blog on the issue, sophisticated threat actors like nation-state groups and others are rolling Log4J exploitations into its attack tools. The vulnerability, known as Log4Shell, is expected to have a long-lasting impact on the IT ecosystem.
“There is high potential for the expanded use of the vulnerabilities,” Microsoft says in the post.
Exploitation attempts and testing remained high during the last two weeks of December after the bug was originally discovered on Dec. 9.
According to Microsoft, known attackers are adding Log4j exploits to their existing malware kits and tactics, including coin miners to hands-on-keyboard actors.
Microsoft warns that organizations may not realize they have already been compromised due to the ubiquitous deployment of Log4j.
“At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” the company says. “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”
Microsoft, along with CrowdStrike, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and other organizations have released open-sourced Log4j scanning tools to help IT professionals find vulnerable versions of Log4j in their environment. It includes detection tools in Microsoft 365 Defender and other free and publicly available scanning tools.
Notable IT vendors such as Cisco, VMWare, AWS, Avaya and more are still working on patching vulnerable products, according to a running list of affected vendors from CISA. As of Tuesday morning, about 2,000 products were listed as affected by the vulnerability.