Almost half of networks probed for Log4Shell weaknesses

Close to half of corporate networks have already been actively targeted by individuals seeking to exploit the critical Log4Shell Apache bug

Close to half of corporate networks around the world have now been actively probed by malicious actors trying to find a way to exploit CVE-2021-44228, aka Log4Shell remote code execution (RCE) vulnerability in the Apache Log4j2 Java logging framework, according to Check Point data.

The firm said that it had seen attempted exploits against 46.2% of corporate networks in Australia and New Zealand, 42.4% in Europe, 41.8% in Latin America, 41,4% in Africa, 37.7% in Asia, and 36.4% in North America. In the UK, 37% of corporate networks have already experienced attempted cyber attacks – in Ireland, this rises to 49%.

Broken out by industry, organisations present in the IT supply chain, such as systems integrators, value-added resellers (VARs) and distributors are by some margin the most targeted, followed by organisations in the education and research sector, consultancies and managed service providers. Organisations in transport, leisure and hospitality, and resale and wholesale are being affected less.

As of the morning of 13 December, approximately 72 hours after disclosure, Check Point’s own systems had stopped more than 846,000 attempts to exploit Log4Shell, 46% of them made by known malicious groups.

Check Point’s research team described Log4Shell as a true cyber pandemic, spreading like wildfire, noting in particular the rapid development of various different ways to exploit it, which are giving threat actors a clear edge in terms of how to get around defences. Clearly, the team said, the outbreak has not yet reached its peak.

“We’re seeing what appears to be an evolutionary repression, with new variations of the original exploit being introduced rapidly – over 60 in less than 24 hours,” said Check Point’s Lotem Finkelsteen, director of threat intelligence and research.

“The number of combinations of how to exploit it gives the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough, and only a multi-layered security posture would provide a resilient protection.

“This vulnerability, because of the complexity in patching it and easiness to exploit, will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products,” he added.

Meanwhile, researchers at Bitdefender have been sharing details of some of the attacks seen so far in the wild.

Already, it said, its telemetry was detecting a number of botnets exploiting the vulnerability to deploy backdoors, expand their networks and deploy illicit cryptominers, among other things. The Muhstik botnet is known to be a particularly enthusiastic “early adopter”.

In addition to this, it is seeing Log4Shell being used to deploy remote access trojans (Rats), reverse bash shells in the service of future attacks, as well as the emergence of a new ransomware family, which goes by the name of Khonsari and is targeting systems running Windows.

Bitdefender urged defenders to audit their infrastructure and software estates to establish their exposure to the Log4j2 framework, and apply the available patches or mitigations; to review software supply chains; to consider implementing a defence-in-depth approach; and to actively monitor their infrastructure.

In addition, the team noted, it is also critical in this instance to recognise that many software suppliers and open source projects are still investigating their own exposure to Log4j2, and that further advisories and patches will be trickling out for weeks, even months to come. Therefore, one must keep a close eye on supplier updates.

Guidance from the UK’s NCSC has also been made available.

Read more about Log4j2 Log4Shell

Read more on Hackers and cybercrime prevention