Application Security , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security

Log4j: Belgian Defense Ministry Reports It Was 'Paralyzed'

Ministry of Defense Says Attack Relates to Widespread Apache Flaw
Log4j: Belgian Defense Ministry Reports It Was 'Paralyzed'
The Log4j vulnerability was reportedly leveraged in a cyberattack on the Belgian Ministry of Defense. (File image)

The Belgian Ministry of Defense, which is responsible for national defense and the Belgian military, announced on Monday that it has fallen victim to a cyberattack officials say relates to the widespread Apache Log4j vulnerability. The attack reportedly "paralyzed the ministry's activities for several days."

See Also: The State of Organizations' Security Posture as of Q1 2018

In comments provided to the Belgian newspaper De Standaard, a military spokesperson said an attack on the ministry's IT network was first detected last Thursday, and "quarantine measures" were taken to isolate affected areas. It is not known if this was a ransomware incident.

The ministry told the Belgian newspaper that the cyberattack stemmed from Apache's Log4j - which provides logging capabilities for Java applications and is widely used, including for Apache web server software.

Belgian Commander Olivier Séverin also told the outlet, "All weekend our teams have been mobilized to control the problem, continue our activities and warn our partners."

Taking to Facebook in the wake of the attack, the Ministry of Defense writes, "Due to technical issues, we are unable to process your requests via mil.be or answer your queries via Facebook. We are working on a resolution and we thank you for your understanding."

Representatives for both the ministry and Defense Minister Ludivine Dedonder did not respond to Information Security Media Group's request for comment. Belgian officials also did not elaborate on the attack's specifics with De Standaard.

The Belgian incident is one of the first high-profile attacks stemming from the Log4j vulnerability, although cybersecurity experts have warned of active scanning and exploitation of the remote code execution vulnerability.

The Belgian Ministry of Defense was recently hit with a 'serious cyberattack.' (Source: Google Maps)

Dangerously High Severity

The vulnerability, initially tracked as CVE-2021-44228 and detected in the Java logging library Apache Log4j, can result in full server takeover and leaves countless applications vulnerable. The component is used to log events and is part of tens of thousands of deployed applications and cloud-based services. CVE-2021-44228 has a 10 severity rating on a scale of 1 to 10, as attackers can remotely exploit it without any input from the victim, and it requires limited technical ability to deploy.

Since the flaw was discovered, the nonprofit that maintains Log4j, the Apache Software Foundation, has released several new versions - including 2.17, the latest - to fix subsequent, high-severity denial-of-service vulnerabilities.

The latest patch follows an emergency directive issued by the U.S. Cybersecurity and Infrastructure Security Agency, requiring federal civilian departments and agencies to "immediately" patch their systems or implement appropriate mitigation measures. CISA previously gave agencies until Friday to patch against Log4j exploits via its Known Exploited Vulnerabilities Catalog (see: CISA to Agencies: Patch Log4j Vulnerability 'Immediately').

Dridex, Meterpreter Used in Attacks

The security research group Cryptolaemus has now made the connection between the Log4j vulnerability and Dridex banking malware, along with the Meterpreter pen-testing tool for Linux devices, which can potentially allow for lateral movement and data exfiltration.

There has been no shortage of new attack attempts arising from the exploit of Log4Shell, including nation-state activity and cybercrime groups launching new phishing campaigns. Some experts said last week they were detecting some 100,000 attack attempts per minute related to Log4j (see: Apache Log4j: New Attack Vectors, Ransomware Seen).

Dridex, tracked by CISA as AA19-339A, has been used in tandem with the Log4j vulnerability by threat actors to launch attacks on Windows systems. Experts say malware operators are also using tools such as Meterpreter for persistence on networks, including Linux devices.

One of the most widely deployed malware strains against financial institutions, Dridex was first detected in 2012, according to CISA. Early Dridex versions were used for intercepting customer transactions and gathering login credentials. The banking Trojan has since been used to infect devices with ransomware and has been linked to the notorious Russian hacking group Evil Corp.

Attackers have traditionally pushed Dridex malware through phishing campaigns, and it has been linked to a variety of tactics, techniques and procedures, or TTPs, including installing keylogging software and launching crypto-locking malware attacks, CISA says.

One identifier of the Dridex threat actors leveraging the Log4Shell vulnerability includes file names and URLs labeled with derogatory terms - including religious and racial slurs - as first reported by Bleeping Computer.

If the exploit is unable to launch Windows commands, the malware assumes it is instead a Linux device and executes a Python script. Threat actors are also reportedly installing the pen-testing tool Meterpreter to connect to a compromised server and remotely execute commands, Bleeping Computer reported.

For the latest news and mitigation strategies from Information Security Media Group's reporting on the Log4j vulnerability, visit the updated thread, here.


About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.