Cybersecurity experts believe CVE-2021-44228, a remote code execution flaw in Log4j, will take months, if not years, to address due its ubiquity and ease of exploitation.
Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, said Log4Shell “now firmly belongs in the same conversation as Shellshock, Heartbleed and EternalBlue.”
“Attackers began by almost immediately leveraging the bug for illegal crypto mining, or using legitimate computing resources on the Internet to generate cryptocurrency for financial profit. Given the low-hanging fruit and ease of exploitation, this was anticipated. Further exploitation appears to have pivoted towards theft of private information, including leaking of sensitive information such as environment variables from cloud service providers and leakage of sensitive or private data,” Povolny told ZDNet.
“Given that the vulnerability allows for arbitrary remote code execution, we fully expect to see an evolution of attacks leading to deployment of complex malware and ransomware, command and control for data exfiltration, as well as network persistence and pivoting towards other integral systems on adjacent networks.”
Povolny added that the vulnerability’s impact could be enormous because it is “wormable and could be built to spread itself.” Even with a patch available, there are dozens of versions of the vulnerable component as well as customized code and configurations, not to mention the challenge of finding and ultimately deploying patches for the seemingly innumerable instances of log4j, Povolny explained.
Due to the sheer number of observed attacks already, Povolny said it was “safe to assume many organizations have already been breached” and will need to take incident response measures.
“We believe log4shell exploits will persist for months if not years to come, with a significant decrease over the next few days and weeks as patches are increasingly rolled out,” Povolny said.
Since December 9, Sophos senior threat researcher Sean Gallagher said the attacks using the vulnerability evolved from attempts to install coin miners — including the Kinsing miner botnet — to more sophisticated efforts.
“The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks,” Gallagher said.
Paul Ducklin, principal research scientist at Sophos, added that technologies including IPS, WAF and intelligent network filtering are all “helping to bring this global vulnerability under control.”
“But the staggering number of different ways that the Log4Shell ‘trigger text’ can be encoded, the huge number of different places in your network traffic that these strings can appear, and the wide variety of servers and services that could be affected are collectively conspiring against all of us. The very best response is perfectly clear: patch or mitigate your own systems right now,” Ducklin said.
Dr. Richard Ford, CTO at Praetorian, explained that because exploiting the vulnerability often does not require authentication or special access, it has exposed an incredible array of systems.
“There are even unconfirmed reports that simply changing your phone’s name to a particular string can exploit some online systems,” Ford said.
Ford and his company’s engineers said it is “one of the largest exposures we have seen at Internet scale.”
“The situation is rapidly evolving, and we are learning a great deal about the scope and impact of this vulnerability as we quickly work with customers to help mitigate the risk in the short term while they work on a long term solution, which will require patching all instances of the vulnerable code — a process which could take months,” he said.
Other experts who spent the weekend watching the vulnerability said hackers got to work almost immediately in exploiting the flaw. Chris Evans, CISO at HackerOne, said they have gotten 692 reports about Log4j to 249 customer programs, noting that that major companies like Apple, Amazon, Twitter, Cloudflare have all confirmed that they were vulnerable.
“This vulnerability is scary for a few reasons: firstly, it’s really easy to exploit; all the attacker has to do is to paste some special text into various parts of an application, and wait for results. Secondly, it’s hard to know what is and isn’t affected, because the vulnerability is in a core library that is bundled with many other software packages, also making remediation more complicated. Thirdly, it’s likely that many of your third-party vendors are affected,” Evans said.
Imperva CTO Kunal Anand said that since rolling out updated security rules more than 13 hours ago, the company observed more than 1.4 million attacks targeting CVE-2021-44228.
“We’ve observed peaks reaching roughly 280K attacks per hour. As with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks,” Anand said.