Scanning Log4j vulnerabilities to breach systems for crypto mining, ransomware deployment, DDoS, and other cyberattacks has overall remained consistent over the last three months. According to Barracuda Networks, since the three critical bugs were discovered in December 2021, 83% of infiltration attempts originated in the U.S. The company believes threat actors may be preparing for future attacks.
In January this year, Microsoft assessed that Log4Shell attacks might continue for years to come, thanks to the prevalence of the vulnerable framework Log4j across a significant chunk of the internet infrastructure. Discovered in December 2021, the three vulnerabilities do have patches, but legacy systems could render them not quite as effective as one would hope.
Two of the three Log4j vulnerabilities, viz., CVE-2021-44228Opens a new window , CVE-2021-45046Opens a new window , and CVE-2021-44832Opens a new window have a CVSS score of 10 and 9 out of 10, making them attractive to threat actors who aim to get their hands on organizational resources. This is evident because hackers exploited all three or their combinations through millions of breach attempts within days of being publicized.
Cisco Talos alone stopped over 845,000 breach attempts from identified criminal groups in the week following the discovery of Log4j bugs. According to researchers at Barracuda Networks, “the volume of attacks attempting to exploit these vulnerabilities has remained relatively constant with a few dips and spikes over the past two months.â€
By December 12, 2021, Sophos had also discovered hundreds of thousandsOpens a new window of remote code execution attempts. Check Point said it prevented 4.3 million intrusion attemptsOpens a new window by December 20.
“Given the popularity of the software, the exploitability of the vulnerability and the payoff when a compromise happens, we expect to see this attack pattern continue, at least for the short-term,†they added.
Percentage of Attacks Targeting Log4j | Source: BarracudaOpens a new window
See More: Exploitation of Log4j Flaws May Continue for Years, Microsoft Warns
Meanwhile, Sophos’ research on Log4Shell attacks presented more or less the same results as Barracuda’s. The chart below shows attack attempts blocked by Sophos until January 21, 2022, which correlates with the data from Barracuda. Clearly, attacks declined somewhat until the start of February but never went away.
Log4Shell Attack Attempts Blocked by Sophos | Source: SophosOpens a new window
Barracuda’s assessment doesn’t evoke the same dread as Microsoft’s warning from January 2022, but it does indicate that threat actors are keen on exploiting the critical vulnerabilities, possibly because of Log4j’s ubiquity on the internet.
The Java-based logging framework is used by Apple, Amazon, Google, Tesla, Twitter, LinkedIn, CloudFlare, Webex, Steam, Cisco, VMware, IBM, Okta, etc. These are just some of the many impacted vendors, most of which released update patches to thwart any attempts at exploitation.
“The numbers simply confirm that a great many people, with good or bad intentions, were trying to gauge how vulnerable others were to the threat by looking for the number of potentially exposed systems,†Sophos stated.
The company added that “the overall number of successful attacks to date remains lower than expected.†This, Sophos says, could be due to attack customization that each Log4j application requires.
In the past three months, Log4j vulnerabilities were used to target systems through malicious payloads for DDoS attacks, cryptomining, etc. For instance, the Conti ransomware gang exploited Log4j vulnerabilities to compromise VMware installations and deploy ransomware.
See More: Log4j Flaw: Top 10 Affected Vendors and Best Solutions to Mitigate Exploitations
VMware may have had more than external threats to deal with. According to Barracuda, efforts were made to exploit the company’s systems via lateral movement within its network, thus raising the possibility of insider threats.
Microsoft Threat Intelligence Center also observed in January that one of the bugs (CVE-2021-44228) was being leveraged by nation-state threat groups from Iran (PHOSPHORUS), China (HAFNIUM), North Korea, and Turkey. Until January 2022, a majority of threats originated from these and some other countries. However, the trend quickly took a turn.
Barracuda said that the data it collected since December 10, 2021, suggests that the lion’s share (83%) of the Log4j exploit attempts came from the U.S-based IP addresses. These were scanning and intrusion attempts and not payload deployment.
Of the remaining 17%, 10% came from Japan, Germany and Netherlands (3%), and Russia (1%), with the remaining 3% unknown. Over half of the IP addresses that performed vulnerability scanning and intrusion attempts were associated with AWS, Azure and other data centers.
By far, the Mirai botnet was the most common type of payload that Barracuda noticed. Others included Kinsing (a cryptominer), XMRig (cryptominer), BillGates malware (DDoS), and variants of the Mirai and Mushtik (DDoS). “The prevalence of DDoS botnet malware seems to suggest that threat actors are working toward building out a large botnet for future use, and there should be an expectation of large DDoS attacks in the near future,†Barracuda said.
Sophos also believes that “attempted exploitation of the Log4Shell vulnerability will likely continue for years and will become a favorite target for penetration testers and nation-state supported threat actors alike. The urgency of identifying where it is used in applications and updating the software with the patch remains as critical as ever.â€
To mitigate the immediate impact of the vulnerabilities, update the Apache Log4j to version 2.17.1Opens a new window or later. Additionally, Web Application Firewall (WAF) or WAF-as-a-service tools could help. Finally, the legacy applications may prove to be dangerous, even with the patch. This is why organizations should update all applications in use.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!