Hackers linked to China and other governments are among a growing assortment of cyberattackers seeking to exploit a widespread and severe vulnerability in computer server software, according to cybersecurity firms and Microsoft Corp. MSFT 1.92%
The involvement of hackers whom analysts have linked to nation-states underscored the increasing gravity of the flaw in Log4j software, a free bit of code that logs activity in computer networks and applications.
Cybersecurity researchers say it is one of the most dire cybersecurity threats to emerge in years and could enable devastating attacks, including ransomware, in both the immediate and distant future. Government-sponsored hackers are often among the best-resourced and most capable, analysts say.
“The effects of this vulnerability will reverberate for months to come—maybe even years—as we try to close these doors and try to hunt down all the actors who made their way in,” said John Hultquist, vice president of intelligence analysis at the U.S.-based cybersecurity firm Mandiant Inc. MNDT -2.21%
Both Microsoft and Mandiant said they have observed hacking groups linked to China and Iran launching attacks that exploit the flaw in Log4j. In an update to its website posted late Tuesday, Microsoft said that it had also seen nation-backed hackers from North Korea and Turkey using the attack. Some attackers appear to be experimenting with the attack; others are trying to use it to break into online targets, Microsoft said.
One of the groups exploiting the security hole in Log4j is the same China-backed group that was linked to a widespread attack on Microsoft Exchange servers earlier this year, Microsoft said. In July, the Biden administration blamed China for the Microsoft Exchange attack and said it had high confidence hackers tied to the Ministry of State Security were behind it. Dozens of other countries also blamed Beijing, which has denied involvement in the hacking.
A spokesman for the Chinese Embassy in Washington said Wednesday that Beijing opposes “cyberattacks of any kind” and highlighted that the Log4j vulnerability was first reported by a security team in China.
Security researchers have seen no signs to date, however, that China or another nation-state hacking group is attempting widespread exploitation of the Log4j issue on the same scale as the Microsoft Exchange attacks, which infected hundreds of thousands of servers across the globe.
U.S. officials this week said it was inevitable that adversarial governments would seek to exploit the security hole, but said that they hadn’t yet identified specific foreign groups acting on it. The U.S. government is often slower to formally attribute cyberattacks to foreign governments than companies like Mandiant and Microsoft.
Many other hackers are trying to break into systems that are vulnerable to the bug to probe for vulnerable servers or install cryptocurrency mining software, botnet code and other forms of malicious software, security researchers said.
Ransomware groups are also using the attack, raising fears of more disruptive cyberattacks ahead, according to researchers. An Iran-backed hacking group has been “deploying ransomware, acquiring and making modifications of the Log4j exploit,” Microsoft said. The company also has seen the attack used by “access brokers”—hackers who break into companies and then sell that access to other criminals who then install ransomware, a kind of code that locks up a victim’s files and demands payment for their release.
By Tuesday evening, the cybersecurity firm Check Point Software Technologies Ltd. had counted close to 600,000 attempts to exploit the Log4j bug by malicious cybercriminals. About 44% of corporate networks world-wide had been hit by these attempts, the company said.
“We have seen a wide range of threat activity. It has largely been low-level activity such as cryptominers, but we do expect that adversaries of all sorts will use this vulnerability to achieve their strategic goals,” said Eric Goldstein, the executive assistant director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.
To date, CISA is unaware of a federal agency being breached by hackers leveraging the Log4j flaw, Mr. Goldstein told reporters Tuesday evening. The agency has given federal agencies a deadline of Dec. 24 to patch software to address the Log4j threat.
Researchers find the Log4j flaw particularly worrying because the free Java-based software is used in a broad range of products. It can be found in everything from security software to networking tools to videogame servers. The exact number of users of Log4j is impossible to know, but the software has been downloaded millions of times, according to the organization that builds it, the Apache Software Foundation.
The attack works reliably and is trivial to exploit, security researchers say. Although downloadable patches have already been made available, experts and U.S. officials said they expected the flaw to remain a problem for the long haul because some organizations will be slow to update their systems or might neglect to do so entirely.
“It’s a surprise it’s not more widespread,” said Adam Meyers, senior vice president of intelligence with CrowdStrike, a U.S.-based cybersecurity firm, which said they had detected Iranian actors leveraging the Log4j flaw. “The question that everyone is asking is, ‘What aren’t we seeing?’”
Corrections & Amplifications
In an update to its website posted late Tuesday, Microsoft said that it had also seen nation-backed hackers from North Korea and Turkey using the attack. An earlier version of this article misstated the day that Microsoft updated its website. (Corrected on Dec. 15, 2021.)
Write to Robert McMillan at Robert.Mcmillan@wsj.com and Dustin Volz at dustin.volz@wsj.com
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8