Log4Shell exploitation continues: more than 30,000 scans reported in January
Discovered in gulftech, Log4Shell quickly became infamous as the vulnerability of the year. Although the Apache Foundation released a patch for this CVE shortly after its discovery, this vulnerability continues to pose a huge threat for individuals and organizations. In fact, during the first three weeks of January, Kaspersky products blocked 30,562 attempts to attack users using exploits targeting the Log4Shell vulnerability.
CVE-2021-44228 or Log4Shell is a Remote Code Execution (RCE) class vulnerability, meaning that if it is exploited on a vulnerable server attackers gain the ability to execute arbitrary code and potentially take full control over the system. This CVE has been ranked a 10 out of 10 in terms of severity.
The vulnerability is extremely attractive to cybercriminals because it allows them to gain complete control over the victim’s system and is easy to exploit.
Since it was first reported, Kaspersky products have detected and prevented 154,098 attempts to scan and attack devices through targeting the Log4Shell vulnerability. Most of the attacked systems were located in Russia (13%), Brazil (8.97%) and the USA (7.36%).
Although the Apache Foundation has already released a patch for this CVE, it takes weeks or months for vendors to update their software. Unsurprisingly, Kaspersky experts have observed that malicious attackers are continuing widespread scans to exploit Log4Shell. The first three weeks of January saw Kaspersky products block 30,562 attempts to attack users by means of targeting the Log4Shell vulnerability. Moreover, almost 40% of these attempts were detected within the first five days of the month, from 1-5 January.
The number of scans for Log4Shell vulnerability, January 1 through January 20, 2022
“We certainly see that there have been far fewer scans and attempted attacks using Log4Shell than there were in the first weeks when it was initially discovered. Still, attempts to exploit this vulnerability are here to stay. As our telemetry shows, cybercriminals continue their extensive mass scanning activities and make attempts to leverage the exploitable code. This vulnerability is being exploited by both advanced threat actors who target specific organizations and opportunists simply looking for any vulnerable systems to attack. We urge everyone who has not yet done so to patch up and use a strong security solution to keep themselves protected,” comments Evgeny Lopatin, security expert at Kaspersky.
Kaspersky products protect against attacks leveraging vulnerabilities, including usage of PoCs under the following names:
UMIDS:Intrusion.Generic.CVE-2021-44228
PDM:Exploit.Win32.Generic
To safeguard against this new vulnerability, Kaspersky experts recommend:
Installing the most recent version of the library. You can download it on the project page. If you are using the library of a third-party product, you will need to monitor and install timely updates from a software provider.
Following Apache Log4j project guidelines: https://logging.apache.org/log4j/2.x/security.html.
Businesses use a security solution that provides exploitation prevention vulnerability and patch management components, such as Kaspersky Endpoint Security for Business. Kaspersky’s Automatic Exploit Prevention component also monitors suspicious actions on applications and blocks malicious file executions.
Using solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response , which help identify and stop attacks in the early stages before attackers can reach their final goal.