ESET has detected hundreds of thousands of attack attempts globally that track to the critical Log4Shell vulnerability. Most attack attempts are located in the United States, the United Kingdom, and the Netherlands, yet nearly 180 countries and territories are under fire largely due to the global prevalence of the Log4j software library in systems around the world.
Image 1. Countries with the most exploit attempts leveraging Log4Shell (on December 26, 2021).
Since December 11, when ESET's engineers created detections for exploits of the Log4Shell vulnerability, ESET has been recording the abovementioned attack attempts. In the Slovak Republic, a country of five million people and the location of ESET’s headquarters, attacks in the thousands have been attempted. This activity signals that all countries, regardless of size, are likely to experience impacts from cybercriminals attempting to breach servers, services, and devices where this vulnerability has not yet been patched.
Log4Shell Attack Attempts
Image 2. ESET telemetry data showing global attack attempts in relative percentage of the total detections for each day.
Why are the attack attempts so broadly distributed?
The Log4j software library is typically used for the production of logs that record activity on a device – in this case especially for recording errors and for retrospective investigation of security incidents. As a result, the vulnerability is extremely widespread.
The vulnerability allows attackers to remotely run any code on a device and, ultimately, gain full control over it. If attackers compromise a server in this way, they can work deeper into an organization's internal network and infiltrate other systems and devices that may not even be exposed to the internet. Combined with the high prevalence of Log4j, this is a critical vulnerability according to the CVSS scale with a maximum of 10 points out of 10. If the IT sector is unable to respond quickly, it may cause headaches for a huge number of organizations and for individuals who manage their own servers, or use various online services.
“Log4j is an open-source library that is part of many online solutions and the services of world-renowned technology companies. Sometimes it is present on a server or a corporate system without the IT administrator's knowledge as part of a larger package. If attackers gain full control of a vulnerable device, they can conduct cyberespionage, steal sensitive data, install ransomware, or otherwise sabotage a company’s IT systems,” explains Ondrej Kubovič, ESET security awareness specialist.
Image 3. ESET telemetry data showing the daily total of blocked Log4Shell exploit attempts.
ESET recommends the following steps:
• Verify where your organization uses the Log4j open-source library and which version. The vulnerable versions are those from 2.0-beta9 to 2.14.1. Versions 2.15 and 2.16 are also partially vulnerable.
• Update your Log4j library to version 2.17 and keep track of any future updates.
• Because Log4Shell is a remote code execution vulnerability and exploits are readily available, it is necessary to verify that the vulnerability has not been exploited by attackers.
• Use security software that can detect and block the exploitation of vulnerabilities. ESET’s detections include:
• Block suspicious IP addresses using a firewall.
Read more in our blog as well as the mitigation tips here. Our expert Jake Moore also explains the issues in this video.