Imperva Research Labs has released its analysis of recent Log4j related vulnerabilities including attack patterns, payloads and bypass techniques.
Key data points:
● Imperva observed over 102M exploitation attempts since the disclosure on December 9.
● In the first 10 days, Imperva observed almost 1.3M exploit attempts per hour. Since the peak on December 23, there has been a general decline in the number of exploit attempts.
● The number of sites attacked peaked at 25K sites per hour.
● Commonly targeted industries are Financial Services (29.6%), Food and Beverages (12.4%) and Computing and IT (10.4%).
● Over 100 different types of web clients have been targeted. The most prevalent of these clients was the Go HTTP library, with over 10M requests and counting.
● Imperva observed attacks targeting sites in over 160 different countries. The US saw the majority of exploit attempts (46.5%), but Australia is in the top 6 at 3.5%. New Zealand ranked 11th at 1.5%.
Attack Patterns: Attackers largely used a “spray and pray” approach to the exploitation of this vulnerability. Many IPs were using a common technique known as “fuzzing” to identify vulnerable Java web applications.
Payload Analysis: Imperva witnessed many different payloads used in the exploitation of Log4Shell. It has divided the payloads into five categories: Probing, Reverse shells, Malware deployments, Data exfiltration and Patching.
Future Outlook: Imperva predicts that a tidal wave of breaches will be reported in the next year stemming from this vulnerability and will impact organisations of all sizes. It predicts a sharp increase in ransomware attacks and exploitative crypto mining activity. Botnets will use this vulnerability to expand, hence the volume of application and network DDoS attacks will increase.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.