As Holidays Approach, Log4j Vulnerability Exploitations Continue Unabated

As the holidays swiftly approach, cybercriminals remain actively exploiting the log4j vulnerability with distributed scans and attacks globally.

That’s according to Sophos. It released its latest log4j research on Tuesday.

Sean Gallagher is senior threat researcher at Sophos.

Sophos’ Sean Gallagher

“Sophos continues to monitor scans for log4j vulnerabilities,” he said. “In the past with vulnerability scans and exploit attempts, we’ve seen big spikes and then significant dropoffs.”

In the case of log4j, Sophos hasn’t seen any drop-offs, Gallagher said. Instead, there’s scans and exploit attempts from a globally distributed infrastructure on a daily basis.

Sophos expects this high degree of activity to continue, he said. That’s due to the multi-faceted nature of the vulnerability and the large extend of patching required.

On Dec. 10, researchers discovered a zero-day exploit in the popular Java logging library log4j. It results in remote code execution (RCE) by logging a certain string. Since then, additional vectors have been discovered.

Log4J Vulnerability Prompts Malicious Activity

“As indicated, in some cases, a request comes from an IP address in one geographic region, with embedded URLs for log4j that connect to servers elsewhere — sometimes multiple different servers,” Gallagher said. “And while some of this is benign testing or research by penetration testers and other security researchers, a larger portion is malicious.”

For example, Sophos telemetry shows 59% of the exploit attempts try to make log4j contact with internet addresses in India. More than 40% of the exploit attempts try to make log4j contact with internet addresses in the United States.

However, the exploit attempts themselves predominantly originate from China and Russia. And most are tied to cybercrime.

“One server in Russia, connected to the Kinsing cryptocoin-mining botnet, is responsible for more than 10% of the exploit attempts Sophos has seen – more than 33% of the traffic from that country,” Gallagher said.

A Pathway for Malware

Nigel Thorpe is technical director at SecureAge. He said the log4j vulnerability illustrates why organizations can’t just rely on cybersecurity training and tools that look for code, patterns and behavior that’s already known as malicious.

SecureAge’s Nigel Thorpe

“After all, until recently everyone thought that log4j was just a neat way for services to log their actions,” he said. “Now we know that unpatched, log4j provides a way for cybercriminals to get their malware into systems.”

All the affected services run on servers that are tightly controlled, Thorpe said.

“Sure, their customers probably click on malicious links on a regular basis, but the servers themselves should be tightly wrapped up,” he said. “So why continue to try and identify the potentially infinite universe of malware when we know precisely what is authorized to run on these servers? Why not simply allow all the known, approved processes to execute, and block everything else?”

All malware has to execute so that it can achieve its aims, Thorpe said. That includes data theft, opening a backdoor or scrambling all data.

“And we know that all malware should be blocked,” he said. “So let’s put some simple, pragmatic controls in place. It’s like a bouncer at a club. You’re not on the list so you’re not coming in.”

Datto Helps MSPs Protect Themselves From Log4J Exploits

Datto is encouraging all MSPs to download a free script it has developed and made available on GitHub for any remote monitoring and management (RMM) solution. This endpoint assessment tool can enumerate potentially vulnerable systems, detect intrusion attempts, and inoculate Windows systems against log4j vulnerability attacks.

Within 24-48 hours following the disclosure of the log4j vulnerability, Datto first declared its products safe for use. Datto began sharing active threat intelligence with the MSP community about attacks it observed to help MSPs understand the log4j threat and how it was being exploited.

The adoption of the component created for Datto RMM has been utilized by almost 50% of all Datto RMM partners. That represents millions of scans of endpoints by MSPs for vulnerabilities at client-sites that are SMBs.

Still Early Days With Log4J Vulnerability

Ryan Weeks is Datto’s CISO.

Datto’s Ryan Weeks

“It’s still early days with this threat,” he said. “There are no currently widely known cases of MSPs suffering attacks due to log4shell exploits on the log4j vulnerabilities. We know from threat intelligence sources and reporting that initial access brokers started to scan for vulnerable instances within the first 48-72 hours of the exploit being known. We also know that ransomware operators are operationalizing the exploit in their kits. I expect that we’ll start to see more ransomware attacks in the coming weeks and months that can be traced back to initial access via log4j exploit.”

There’s still ample time for MSPs to protect themselves, Weeks said.

“An exploited server at this stage can still be identified and responded to in a way that minimizes damage,” he said. “Assuming breach and building cyber resilience means we knew this day would come and we’ve built capabilities to respond to it. If there is a threat present on a vulnerable system, you can still evict them, recover the systems and prevent a worse outcome like full scale ransomware.”

MSPs should implement outbound network egress restrictions, Weeks said. That should both kill the attack chain for log4shell and disrupt potential command and control communications (C2).