Log4Shell Among Chinese Hackers' Fave Vulns, Say Feds

There's no reason not to take the obvious route: Log4Shell remains a top vulnerability exploited by Chinese hackers, says the U.S. government.

A roundup by the FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency of the 20 most actively exploited vulnerabilities favored by Beijing's coterie of state-sponsored threat actors over the past two years puts CVE-2021-44228 - better known as Log4Shell - smack at the top.

Chinese state-sponsored hacking continues to be "one of the largest and most dynamic threats to U.S. government and civilian networks," the agencies collectively warn.

China has a decadeslong history of state-sponsored hacking for commercial gain and national security purposes. The United States, joined by the European Union, the United Kingdom and NATO, in 2021 denounced China for a "pattern of irresponsible behavior in cyberspace." More recently, FBI Director Christopher Wray and Ken McCallum, director general of the U.K.'s MI5, jointly warned business and academic leaders about Chinese intellectual property theft.

Log4Shell burst into view late last year as a high-impact flaw in open-source Java utility Log4j maintained by the Apache Software Foundation and often deployed as a software library in other applications, including other Apache applications and VMWare products.

Researchers from the Alibaba Cloud Security Team in late 2021 discovered a flaw allowing attackers to inject malicious messages through the Lightweight Directory Access Protocol. The Cyber Safety Review Board, a federally run committee, earlier this year characterized Log4Shell as an "endemic vulnerability" likely to cause problems for up to a decade and possibly even longer (see: Log4j Flaw Is 'Endemic,' Says Cyber Safety Review Board).

Brian Fox, CTO of software supply chain management firm Sonatype, tells Information Security Media Group that seeing Log4j listed as a key vulnerability comes as no surprise: Log4j is widespread and Log4Shell is relatively easy to exploit.

"Our data shows that outdated, vulnerable versions of the Log4j dependency are still being downloaded 38 - 40% of the time," Fox says. Fox recommends software bills of materials as a means to track those dependencies.*

Other vulnerabilities popular among Chinese hackers include remote code execution bugs in Atlassian software and, inevitably, a handful of Microsoft flaws.

Among the Microsoft vulnerabilities is an Exchange bug, CVE-2021-26855, which the White House says China's Ministry of State Security exploited to conduct cyberespionage.