Sophos has provided new threat intelligence on how cyberattackers are exploiting or attempting to exploit unpatched systems after the Apache Log4Shell vulnerability was reported.
The Apache Log4Shell is a library in Java used to keep a record of all activity and for logging requests in an application, commonly used by software developers across the world.
The threat intelligence as detailed in the SophosLabs Uncut report, Log4Shell Hell: Anatomy of an Exploit Outbreak, shows that Sophos is seeing a rapid uptick in attacks exploiting or attempting to exploit this vulnerability, with hundreds of thousands of attempts detected so far.
“The Log4Shell vulnerability presents a different kind of challenge for defenders. Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. Once defenders know what software is vulnerable, they can check for and patch it,” Sean Gallagher, senior threat researcher at Sophos said.
The report also indicated that Crypto mining botnets are among the earliest attack adopters. Botnets focus on Linux server platforms, which are particularly exposed to this vulnerability.
Sophos has also seen attempts to extract information from services, including Amazon Web Services keys and other private data. The company said it observed that attempts to exploit network services start by probing for different types.
Read also: Technext to hold Africa’s biggest cryptocurrency gathering
“Initially, these were Proof-of-Concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability. This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet. The most recent intelligence suggests attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts,” Gallagher said.
Around 90 percent of the probes Sophos detected were focused on the Lightweight Directory Access Protocol (LDAP.) A smaller number of probes targeted Java’s Remote Interface (RMI,) but Sophos researchers noted that there seem to be a larger variety of unique RMI-related attempts
Sophos said it expects adversaries to intensify and diversify their attack methods and motivations in the coming days and weeks, including the possibility of leveraging ransomware.
“Sophos expects the speed with which attackers are harnessing and using the vulnerability will only intensify and diversify over the coming days and weeks. Once an attacker has secured access to a network, then any infection can follow. Therefore, alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware,” Gallagher said.
Speaking on how the vulnerability works, why it works, and how to fix it, Paul Ducklin, principal research scientist at Sophos said technologies including web application firewall (WAF) and intelligent network filtering are all helping to bring this global vulnerability under control.
But the staggering number of different ways that the Log4Shell ‘trigger text’ can be encoded, the huge number of different places in network traffic that these strings can appear, and the wide variety of servers and services that could be affected are collectively conspiring against all of us.
“The very best response is perfectly clear, patch or mitigate your own systems right now,” Ducklin said.
