Sergey Nivens - stock.adobe.com
Mass exploitation of the Log4Shell – CVE-2021-44228 – vulnerability in Apache Log4j, which was first publicised in December 2021, has almost entirely failed to occur, after the prompt actions of security professionals, according to Sophos’s Chester Wisniewski, who has been tracking Log4Shell extensively.
In a scenario that is comparable to the one that unfolded 22 years ago, when the efforts of IT teams around the world ensured that the sting was taken out of the Millennium Bug, Wisniewski said the immediate threat of attackers exploiting Log4Shell was averted because “the severity of the bug united the digital and security communities and galvanised people into action”.
“As soon as details of the Log4Shell bug became clear, the world’s biggest and most important cloud services, software packages and enterprises took action to steer away from the iceberg, supported by shared threat intelligence and practical guidance from the security community,” wrote Wisniewski in a blog published earlier this week.
Drawing on Sophos’ own telemetry, Wisniewski said that in the immediate aftermath of the Log4Shell disclosure there was a moderate volume of scanning for vulnerable systems as people moved to develop proof-of-concept exploits. Within a week, this had ramped up significantly, reaching a peak a few days before Christmas.
As previously reported, these numbers likely included a number of opportunistic cryptominers, nation state-backed advanced persistent threat (APT) units and financially motivated cyber criminals looking for targets, as well as a great many legitimate security companies, ethical hackers and penetration testers.
It is also important to consider that depending on how the Log4J code is used and integrated in an application, it is exploited differently, so a number of these scans will have turned out to be pointless.
Following this early surge, activity then dropped back through the end of December and into January, concurrent with which would have been a scaling back of legitimate scanning activity and an increase in actual cyber attacks. However, there were still far fewer successful attacks than one might have expected, and according to Sophos’s Managed Threat Response team, only a handful of its customers have been hit, and mostly by cryptominers.
Read more about Log4Shell
- The easy-to-exploit Log4j vulnerability known as Log4Shell is dangerous and must be dealt with as soon as possible. Get pointers on how to mitigate and monitor the threat.
- According to Microsoft, a threat actor tracked as DEV-0401 is utilizing Night Sky ransomware in its Log4j attacks, a variant first reported on 1 January that targets large enterprises.
- Whether by error or design is unclear, but a great many IT teams are still exposing themselves by downloading outdated, insecure versions of Apache Log4j.
As with the Millennium Bug, when a hyped-up crisis fails to materialise people are often quick to suggest there was never a problem in the first place, but Wisniewski said this was absolutely not the case with Log4Shell, and warned that as it is buried so deep in so many products and services, it does remain a target for malicious actors, and will be for some time to come.
“[There] are many other, more obscure applications involving Apache Log4J that will take time to be discovered and exploited by attackers,” he wrote. “These attacks will proceed at a human pace and won’t result in giant spikes of activity, although they will still present a significant risk to organisations that remain vulnerable.”
An additional factor to consider is that malicious actors, particularly ransomware operators, almost always spend a considerable time within their target networks after effecting their initial compromise – this so-called dwell time can last for months and is used to move laterally around within the target’s systems, gathering information such as credentials and exfiltrating data, prior to executing the final stages of their attacks. Therefore it is a safe bet that a great many cyber attacks where Log4Shell was abused to gain initial access have yet to impact, or, as Wisniewski put it: “Just because we’ve steered round the immediate iceberg, that doesn’t mean we’re clear of the risk.
“Sophos believes that attempted exploitation of the Log4Shell vulnerability will likely continue for years, and will become a favourite target for penetration testers and nation-state supported threat actors alike. The urgency of identifying where it is used in applications and updating the software with the patch remains as critical as ever,” he wrote.