Major attacks with Log4j vulnerability ‘lower than expected’

Missed a session from the Future of Work Summit? Visit our Future of Work Summit on-demand library to stream.

Thanks in large part to the massive response from the security community, there have been few significant cyberattacks to date that exploit the vulnerabilities in Apache Log4j, according to findings from cybersecurity giant Sophos.

Overall, successful attacks using the Log4j errors have been limited, Chester Wisniewski, principal investigator at Sophos, said in a blog Today.

Like other cyber vendors, the Sophos Managed Threat Response Team (MTR) has detected a large number of scans and exploit attempts for the remote code execution vulnerability known as Log4Shell. But as of early January, “only a handful of MTR customers faced intrusion attempts with Log4j determined to be the first entry point,” Wisniewski wrote. Most of those break-ins were by cryptocurrency miners.

“The total number of successful attacks to date remains lower than expected,” he wrote.

Still, the wide scope of the Log4Shell vulnerability and the difficulty of finding all instances of it suggests that the bug “will likely be a target for exploitation for years to come,” Wisniewski wrote.

Widespread Vulnerability

If not patched, many enterprise applications and cloud services written in Java may be vulnerable to the flaws in Log4j. The open source logging library is believed to be used in some form – directly or indirectly using a Java framework – by most large organizations.

The first Log4j vulnerability, revealed on December 9, could be used to remotely execute code by unauthenticated users.

“However, Sophos believes that the imminent threat of attackers who massively exploit Log4Shell was averted because the severity of the bug united the digital and security communities and propelled people to action,” Wisniewski wrote. “This was seen in 2000 with the Y2K bug and it seems to have made a significant difference here.”

Few major attacks involving Log4j have been disclosed so far. On December 20, the Belgian Ministry of Defense announced that part of its network had been disabled following a cyber attack. The attack was the result of exploiting the vulnerability in Log4j, the Defense Department said.

Cyber ​​company Qualys previously told VentureBeat it has observed “attempted ransomware attacks, some of which have been successful — by Conti, Khonsari and some state-backed adversaries,” said Travis Smith, director of malware threat research at Qualys. e-mail. Details of the attacks have not been released.

Disrupted Attacks

Other attacks that have been reported were interrupted midway through. For example, on Dec. 29, CrowdStrike said its threat hunters identified and disrupted an attack by a state-sponsored group in China that involved an exploit of the Log4j vulnerability. CrowdStrike said threat hunters from its Falcon OverWatch team intervened to protect a “major academic institution,” which was not identified, from a hands-on keyboard attack that appears to have used a modified Log4j exploit.

In addition to the widespread response from the security community, another possible reason that mass exploitation has been minimized “may be the need to adapt the attack to any application containing the vulnerable Apache Log4J code,” Wisniewski wrote.

Nevertheless, “just because we were sent around the immediate iceberg doesn’t mean we are free of the risk,” he said.

“Some of the early attack scans have resulted in attackers securing access to a vulnerable target, but not actually misusing that access to deliver malware, for example — so the successful breach goes undetected,” Wisniewski wrote.

“Sophos believes the attempted exploit of the Log4Shell vulnerability is likely to continue for years to come and become a favorite target for both penetration testers and state-backed threat actors,” he wrote. “The urgency of identifying where it is being used in applications and updating the software with the patch remains as important as ever.”

Long tail

Other cyber experts have previously made similar comments to VentureBeat, saying that the worst attacks using the Log4j flaws could be months – or even years – in the future.

“In many cases, attackers compromise a company, gain access to networks and credentials, and use it to launch massive attacks months and years later,” said Rob Gurzeev, CyCognito’s co-founder and CEO, in a previous email to VentureBeat. .

Once they’ve established a foothold, sophisticated attackers will often take their time investigating users and security protocols before launching the full run of their attacks, said Hank Schless, senior manager for security solutions at Lookout.

This helps them strategize on how to most effectively avoid existing security practices and tools, Schless said, “while simultaneously identifying which parts of the infrastructure would be most effective to encrypt for a ransomware attack.”

Ultimately, due to the widespread nature of the flaw, “the long tail of this vulnerability is going to be quite long,” Andrew Morris, the founder and CEO of GreyNoise Intelligence, said in an earlier interview. “It will probably take some time before this is completely cleared up. And I think it will be a while before we understand the magnitude of the impact of this.”


VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative technology and transactions. Our site provides essential information on data technologies and strategies to guide you in leading your organizations. We invite you to join our community to access:

up-to-date information on the topics that interest you
our newsletters
gated thought-leader content and discounted entry to our valued events, such as Transform 2021: Learn More
network features and more


Leave a Reply

Your email address will not be published.