Log4j update: Experts say log4shell exploits will persist for ‘months if not years’

Cybersecurity experts believe CVE-2021-44228, a remote code execution flaw in Log4j, will take months, if not years, to address due its ubiquity and ease of exploitation.

Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, said Log4Shell “now firmly belongs in the same conversation as Shellshock, Heartbleed, and EternalBlue.” 

“Attackers began by almost immediately leveraging the bug for illegal crypto mining, or using legitimate computing resources on the Internet to generate cryptocurrency for financial profit… Further exploitation appears to have pivoted towards theft of private information,” Povolny told ZDNet.

“We fully expect to see an evolution of attacks.”

---

Also: Log4j zero-day flaw: What you need to know and how to protect yourself

---

Povolny added that the vulnerability’s impact could be enormous because it is “wormable and could be built to spread itself.” Even with a patch available, there are dozens of versions of the vulnerable component.

Due to the sheer number of observed attacks already, Povolny said it was “safe to assume many organizations have already been breached” and will need to take incident response measures. 

“We believe log4shell exploits will persist for months if not years to come, with a significant decrease over the next few days and weeks as patches are increasingly rolled out,” Povolny said.  

Since December 9, Sophos senior threat researcher Sean Gallagher said the attacks using the vulnerability evolved from attempts to install coin miners — including the Kinsing miner botnet — to more sophisticated efforts.

“The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks,” Gallagher said. 

Paul Ducklin, principal research scientist at Sophos, added that technologies, including IPS, WAF, and intelligent network filtering, are all “helping to bring this global vulnerability under control.” 

“The very best response is perfectly clear: patch or mitigate your own systems right now,” Ducklin said. 

Dr. Richard Ford, CTO at Praetorian, explained that because exploiting the vulnerability often does not require authentication or special access, it has exposed an incredible array of systems. 

“There are even unconfirmed reports that simply changing your phone’s name to a particular string can exploit some online systems,” Ford said. 

Ford and his company’s engineers said it is “one of the largest exposures [they] have seen at internet scale.” 

---

Also: Log4j RCE activity began on December 1 as botnets started using vulnerability

---

Other experts who spent the weekend watching the vulnerability said hackers got to work almost immediately in exploiting the flaw. Chris Evans, CISO at HackerOne, said they have gotten 692 reports about Log4j to 249 customer programs, noting that major companies like Apple, Amazon, Twitter, and Cloudflare have all confirmed that they were vulnerable. 

“This vulnerability is scary for a few reasons: Firstly, it’s really easy to exploit; all the attacker has to do is to paste some special text into various parts of an application and wait for results. Secondly, it’s hard to know what is and isn’t affected; the vulnerability is in a core library that is bundled with many other software packages, also making remediation more complicated. Thirdly, it’s likely that many of your third-party vendors are affected,” Evans said. 

Imperva CTO Kunal Anand said that since rolling out updated security rules more than 13 hours ago, the company observed more than 1.4 million attacks targeting CVE-2021-44228. 

“We’ve observed peaks reaching roughly 280K attacks per hour. As with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks,” Anand said.