QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.
Sources of trusted guidance for the Log4j vulnerability
Apart from the first vulnerability, CVE-2021-44228, two more flaws have emerged. The second vulnerability in Log4j is tracked as CVE-2021-45046 and is related to denial-of-service (DoS). It is rated 3.7 out of 10 on the CVSS scale and impacts all Log4j versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. Security firm Praetorian uncovered another vulnerability in version 2.15.0 and can allow for exfiltration of confidential information in specific circumstances. No identifier to the flaw has yet been issued. Cybercriminals are using this window of opportunity to gain access to whatever they can right now to capitalise on it later. Users requiring Java 8 or later are recommended to update to Log4j version 2.16.0, and users requiring Java 7 are recommended to update to version 2.12.2 when it becomes available. Defenders are advised to minimise exposure by patching and mitigating every aspect of the organisational network and carefully examining exposed and potentially infected systems.
Sources of trusted guidance can be found here:
- NCSC – Apache Log4j vulnerabilities
- NCSC – Log4j - What should boards be asking?
- US CISA – Apache Log4j Vulnerability Guidance
- Microsoft – Guidance for preventing, detecting and hunting for CVE-2021-44228 Log4j 2 exploitation
- Google – Understanding the impact of Apache Log4J
- Google Cloud recommendations for investigating and responding to the Apache Log4j 2 vulnerability
- Amazon – Using AWS security services to protect against, detect and respond to the Log4j vulnerability
- Apache – Apache Log4j Security Vulnerabilities
Apache releases new 2.17.0 patch for Log4j
The Apache Software Foundation published a new Log4j patch late on Friday after discovering issues with 2.16. Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release, which came out on Tuesday. Apache said version 2.16 "does not always protect from infinite recursion in lookup evaluation" and explained that it is vulnerable to CVE-2021-45105, a denial of service vulnerability. They said the severity is "high" and gave it a CVSS score of 7.5.
When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a denial of service (DOS) attack," Apache explained.
They added that the latest issue was discovered by Akamai Technologies' Hideki Okamoto and an anonymous vulnerability researcher. They noted that only the Log4j-core JAR file is impacted by CVE-2021-45105. Security researchers online began tweeting about potential issues with 2.16.0, with some identifying the denial of service vulnerability.
Security company Blumira claims to have found a new Log4j attack vector that can be exploited through the path of a listening server on a machine or local network, potentially putting an end to the assumption that the problem was limited to exposed vulnerable servers. So far, nearly 5,000 artifacts have been patched, leaving more than 30,000 more. But the two noted that it will be difficult to address the issue because of how deep Log4j is embedded in some products.
Log4shell is a critical vulnerability in the widely-used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to be affected by it. Although fixes have been issued, they will still need to be implemented.
Ransomware actor uses Log4j bug to hack VMware vCenter servers
Conti ransomware operation is using the critical Log4Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines. The gang did not waste much time adopting the new attack vector and is the first "top-tier" operation known to weaponize the Log4j vulnerability. A proof-of-concept (PoC) exploit for CVE-2021-44228 — otherwise known as Log4Shell — emerged in the public space on December 9. A day later, mass scanning of the internet started, with multiple actors looking for vulnerable systems. Among the first to leverage the bug were cryptocurrency miners, botnets, and a new ransomware strain called Khonsari.
Dozens of vendors have been affected by Log4Shell and rushed to patch their products or provide workarounds and mitigations for customers. VMware is one of them, listing 40 vulnerable products. While the company provided mitigations or fixes, a patch for vCenter versions impacted has yet to become available. vCenter servers are not normally exposed to the public internet, there are scenarios where an attacker could exploit the issue:
“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” - VMware
AdvIntel says that Conti ransomware gang members showed interest in leveraging Log4Shell for their operations using the public exploit.
“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel
While most defenders are focused on blocking Log4Shell attacks on Internet-exposed devices, the Conti ransomware operation shows how the vulnerability can be used to target internal devices that may not receive as much attention. The researchers confirmed that Conti ransomware affiliates had already compromised the target networks and exploited vulnerable Log4j machines to gain access to vCenter servers. This means that Conti ransomware members relied on a different initial access vector (RDP, VPN, email phishing) to compromise a network and are currently using Log4Shell to move laterally on the network.
The NCA shares 585 million passwords with Have I Been Pwned
The UK National Crime Agency (NCA) has shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned, a website that indexes data from security breaches. In a blog post today, HIBP creator Troy Hunt said that 225 million of the compromised passwords found by the NCA were new and unique. These passwords have been added to a section of the HIBP website called Pwned Passwords. This section allows companies and system administrators to check and see if their current passwords have been compromised in hacks and if they are likely to be part of public lists used by threat actors in brute-force and password-spraying attacks.
Currently, the HIBP Pwned Passwords collection includes 5.5 billion entries, of which 847 million are unique. All these passwords are also available as a free download, so companies can check their passwords against the data set locally without connecting to Hunt’s service.
In a statement shared by Hunt, the NCA said it found the compromised passwords, paired with email accounts, in an account at a UK cloud storage facility. “Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown,” the NCA told Hunt.
The NCA said they weren’t able to determine or attribute the compromised email and password combos to any specific platform or company.
Attacks on UK firms surged five-fold during the pandemic
Attacks on UK firms surged five-fold during the pandemic and now cost way more than the global average, according to Accenture. The global consultancy polled 500 UK executives to compile its State of Cybersecurity Resilience 2021 study.
It found that large organisations experienced 885 attempted cyber-attacks in 2020 – up from 156 the previous year and more than triple the global average of 270. They’re also more expensive than elsewhere. Accenture calculated that incidents and breaches cost over £1.3m a year – £350,000 more than the global average. Over 80% of respondents said the cost of staying ahead of cyber-criminals is unsustainable, a fifth more than the previous year, and a quarter said they’ve been forced to increase cybersecurity budgets by 10% or more. Worryingly, supply chain attacks accounted for 64% of breaches in the UK last year, up by a quarter (26%) from the previous year. The report claimed that nearly half (49%) of large businesses lost over 100,000 customer records over the course of the past year, an increase of 28% from the previous year.
Train with QA Cyber Security
Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.
Contact us today.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.


Richard Beck
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.More articles by Richard
The Future of Cyber-Enabled Fraud
Deepfake, biometrics and artificial intelligence, QA's Cyber Practice Director, Richard Beck, takes a look at the future of c…
15 March 2023Cyber Pulse: Edition 189 | 05 August 2022
In this week's blog post: Blockchain platform Solana breached - $8 million and counting, Cryptocurrency service drained of $2…
05 August 2022Cyber Pulse: Edition 188 | 27 July 2022
In this edition: Hackers steal $6 million from blockchain music platform, GoMet Backdoor Used in Attacks Targeting Ukraine, C…
27 June 2022Cyber Pulse: Edition 187 | 18 July 2022
In this edition: Lithuania experience geopolitical motivated cyber attacks, Germany bolsters defences against Russian cyber t…
18 June 2022Cyber Pulse: Edition 186 | 23 June 2022
In this edition: PowerShell Advisory from National Security Agency (NSA), Ukrainian cybersecurity officials exposed two new h…
23 June 2022Cyber Pulse: Edition 185 | 23 May 2022
In this edition: Pro-Russian hackers target Italian institutions, Canada bans Huawei and ZTE 5G and 4G equipment, Greenland s…
23 May 2022Cyber Pulse: Edition 184 | 13 May 2022
In this edition: German automotive companies targeted, Docker attacks linked to cryptominers, HP & Intel announce patches for…
13 May 2022Cyber Pulse: Edition 183 | 29 April 2022
In this edition: More than $13 million in crypto stolen, cryptomining campaign has been targeting Docker APIs, Microsoft repo…
29 April 2022Cyber Pulse: Edition 182 | 22 April 2022
In this edition: APT Group targeting blockchain and crypto industry, ransomware targets ProxyShell weakness in MS Exchange Se…
22 April 2022Cyber Pulse: Edition 181 | 13 April 2022
In this edition: Hackers steal $320,000 in Cryptocurrency from NFT & Crypto community platform, ICS-capable malware targets a…
13 April 2022