Cybercriminals are pouncing on the Log4Shell vulnerability with hundreds of thousands of attempts to remotely execute code.

That’s according to Sophos. Last week, researchers discovered a zero-day exploit in the popular Java logging library log4j. It results in remote code execution (RCE) by logging a certain string.

According to LunaSec, many services are vulnerable to this exploit. That includes cloud services like Steam, Apple iCloud, and apps like Minecraft.

Sean Gallagher is senior threat researcher at Sophos.

Sophos’ Sean Gallagher

“Initially, these were proof-of-concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability,” he said. “This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet. The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service (AWS) accounts.”

Attackers also are trying to exploit the vulnerability to install remote access tools in victim networks. That potentially includes Cobalt Strike, a key tool in many ransomware attacks.

Different Challenge for Defenders

The Log4Shell vulnerability presents a different kind of challenge for defenders, Gallagher said.

“Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange,” he said. “Once defenders know what software is vulnerable, they can check for and patch it.”

Many products use the Log4Shell library, Gallagher said. It can therefore be present in the darkest corners of an organization’s infrastructure. That includes any software developed in-house.

“Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security,” he said.

Attackers harnessing and using the vulnerability will only intensify and diversify over the coming days and weeks, Gallagher said.

“Once an attacker has secured access to a network, then any infection can follow,” he said. “Therefore, alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware.”

Tim Wade is technical director of Vectra‘s CTO team.

Vectra’s Tim Wade

“While the specifics of how attacking this vulnerability may play out are still a bit open ended, given the widespread use and position of the underlying software, it absolutely looks like a good candidate for malicious network ingress, which means network defenders should be on guard for suspicious outbound traffic that may indicate command-and-control,” he said.

This shows how critical effective detection and response capabilities are, Wade said. It also shows the risk of having a prevent, patch and pray strategy.

Log4Shell Poses Extremely High Risk

Chris Morgan is senior cyber threat intelligence analyst at Digital Shadows.

Digital Shadows’ Chris Morgan

“On initial inspection, the Apache Log4j Java library vulnerability looks extremely high risk,” he said. “The bug … is reportedly easy to exploit and can achieve remote code execution.”

At a high level, this bug allows an attacker to deliver a malicious payload, Morgan said. The attacker can also use the payload to trigger the Log4Shell vulnerability. That in turn injects a secondary stage of the attack to execute arbitrary code.

A workaround has been released to address this flaw, which comes as part of Log4j version 2.15.0, Morgan said. This reportedly changes a system setting from false to true by default. Users should leave the setting at true.

“Given the scale of affected devices and exploitability of the bug, it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors,” he said.

Organizations should update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications, Morgan said.

One of 2021’s Worst Vulnerabilities

Dor Dali is director of information security at Vulcan Cyber. He said Vulcan classifies the Log4j vulnerability as very critical and “I would class it in the top-three worst vulnerabilities of 2021.”

“It wouldn’t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,” he said. “Connecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren’t taken right away. The Log4j vulnerability is relatively easy to exploit and we’ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world.”

Hopefully every organization running Java has the ability to secure, configure and manage it, Dali said.

If Java is being used in production systems, IT security teams must prioritize the risk and mitigation campaigns, he said. They also should follow remediation guidelines from the Apache Log4j project as soon as possible.