Key data points:
● Imperva observed over 102M exploitation attempts since the disclosure on December 9.
● In the first 10 days, Imperva observed almost 1.3M exploit attempts per hour. Since the peak on December 23, there has been a general decline in the number of exploit attempts.
● The number of sites attacked peaked at 25K sites per hour.
● Commonly targeted industries are Financial Services (29.6%), Food and Beverages (12.4%) and Computing and IT (10.4%).
● Over 100 different types of web clients have been targeted. The most prevalent of these clients was the Go HTTP library, with over 10M requests and counting.
● Imperva observed attacks targeting sites in over 160 different countries. The US saw the majority of exploit attempts (46.5%), but Australia is in the top 6 at 3.5%. New Zealand ranked 11th at 1.5%.
Attack Patterns: Attackers largely used a “spray and pray” approach to the exploitation of this vulnerability. Many IPs were using a common technique known as “fuzzing” to identify vulnerable Java web applications.
Payload Analysis: Imperva witnessed many different payloads used in the exploitation of Log4Shell. It has divided the payloads into five categories: Probing, Reverse shells, Malware deployments, Data exfiltration and Patching.
Future Outlook: Imperva predicts that a tidal wave of breaches will be reported in the next year stemming from this vulnerability and will impact organisations of all sizes. It predicts a sharp increase in ransomware attacks and exploitative crypto mining activity. Botnets will use this vulnerability to expand, hence the volume of application and network DDoS attacks will increase.