Log4j update: 60 variations of Log4Shell, hundreds of thousands of attacks

The severity of the vulnerability in Log4j is anything but theoretical. Cyber ​​criminals scan ports worldwide to find ways to exploit them. Security researchers observed hundreds of thousands of attacks.

In the past few days, Check Point Software recognized 470,000 attempts to scan corporate networks worldwide. The scans are performed, among other things, to find servers that allow external HTTP requests. Such servers are prone to exploit the infamous vulnerability in Java library Log4j. If a server allows HTTP requests, an attacker can ping the server with a single line pointing to a remote server with Java instructions for malware execution. If the pinged server is connected to a Java application that processes Log4j, the Java application processes the line as a command to execute the malware. At the bottom of the line, the victim’s server executes what an attacker orders. Security organization Sophos says it has identified hundreds of thousands of attacks.

Familiar faces

Earlier we wrote an enlightening article about the above-mentioned technical operation of the vulnerability in Log4j. The biggest precondition for abuse is the ability to reach Java applications incorporating Log4j. In some cases this is child’s play. For example, Apple used iCloud Log4j to record the names of iPhones. By changing the model name of an iPhone in iOS to an instruction for Java, it turned out to be possible to crack Apple’s servers.

In other cases, applications are less easy to influence. The biggest threat comes from attackers with experience, knowledge and existing techniques. Security researchers from Netlab360 set up two decoy systems (honeypots, ed.) to invite attacks on Java applications with Log4j. The researchers thus lured nine new variations of well-known malware types, including MIRAI and Muhstik. The malware strains are designed to abuse Log4j. A common attack target is the reinforcement of botnets for crypto mining and DDoS attacks. Check Point Software conducted a similar survey on a larger scale. In the past few days, the security organization registered 846,000 attacks.

Defense

It is obvious that cyber criminals seek out and exploit vulnerable versions of Log4j. The most advisable defense is and remains to inventory all Log4j applications in an environment. If the supplier of the application in which Log4j is used has released an updated version, patching is recommended. If not, disabling is the safest option. The NCSC keeps an overview of the vulnerability of software in which Log4j is processed.

It is currently anything but advisable to develop your own software measures or to adjust the operation of Log4j. The vulnerability has variations. Microsoft, among others, detected multiple variants of the rule used to instruct Java applications to run malware. Check Point speaks of more than 60 mutations.