It has been reported that cyber researchers have revealed a long-running hacking campaign that breached at least six US state governments over the past year. Chinese cyberespionage group APT41 used a vulnerability in web-based software USAHERDS to penetrate at least two of those targets. It may have hit many more, given that 18 states run USAHERDS on web servers” we also want to call out that there’s a Log4J tie here as well “when Apache Log4j was disclosed APT41 began exploiting the Log4j vulnerability almost immediately. No matter which vulnerability was being used, once inside the networks, APT41 tailored malware to the victim’s environment in order to make the attacks as effective as possible.
It shouldn’t come as any surprise that nation-state actors would begin targeting other governments following disclosure of a new high-profile vulnerability. Nor should it come as any surprise that business systems are similarly targeted following vulnerability disclosures either. Attackers define the rules of their attack, and they know that patching will be a high priority for anyone exposed to a new vulnerability disclosure. They also know that systems will be patched at any time, so they need to exploit and reconfigure vulnerable systems to allow them to use them even when patched. It is this race against time that matters when dealing with a vulnerability like Log4Shell – the vulnerable Log4j component is ubiquitous. When time matters, you need a complete asset inventory, including all the dependencies each application might have. This inventory is increasingly known as an SBOM or Software Bill of Materials but having an SBOM does nothing if its not part of a patch management process designed to mitigate risk. Those companies who patched Log4Shell quickly, did so because they knew exactly where they were using Log4j and could update those locations accordingly.