Amateurs and the less skilled criminals have moved from Log4Shell to shinier and more exciting endeavors. However, the threat has not vanished.
A vulnerability in the popular Log4j logging library, dubbed Log4Shell, shook the cybersecurity community at the end of 2021. Once it was publicly disclosed, we saw an uptick in exploitation, with experts calling it the Fukushima moment in cybersecurity that will be analyzed and discussed for many years to come.
“The early wave of Log4Shell in December was ultimately a land rush of information gathering and expedient exploitation before many had the opportunity to assess and patch their vulnerability,” Sophos’ principal research scientist Chester Wisniewski said in his recent analysis of the Log4Shell exploitation.
Now we may be witnessing what he calls the end of amateur hour. The threat, Wisniewski argues, has shifted, but it has not vanished.
Recently, he looked at two weeks in particular. The first data set is from December 17, 2021, to December 23, 2021, and illustrates who was scanning during the peak of attacks in the weeks following the bug’s discovery. The second dataset covers January 19, 2022, to January 25, 2022, approximately one month later.
During the peak in December, Sophos observed 1,497 unique IP addresses originating from 234 unique ASNs (autonomous system numbers) scanning and attacking over seven days. The first dataset has a long tale. The top 20 ASN owners are mostly hosting, VPS, or cloud providers.
“In my experience, this represents a mélange of penetration testers, cybercriminals, and nation-states. The remaining few are either security researchers or IPs known to host anonymous VPNs, demonstrating that the early wave was ultimately a land rush of information gathering and expedient exploitation before many had the opportunity to assess and patch their vulnerability,” Wisniewski wrote.
In January, the scanning decreased considerably. Despite the significant increase in the volume of telemetry, it contains only 268 unique IP addresses (compared to 1,497 in December) from 93 ASNs (234 in December).
“My impression from this is that the amateurs and the less skilled criminals have moved on to shinier and more interesting endeavors. What’s left? A noisy relentless cohort of potentially dangerous attackers combined with over-eager security researchers creating just enough noise to make it hard for SOCs and red teamers to find the signal,” Wisniewski writes.
He stressed that the threat has shifted, but it hasn’t vanished, and now that the activity has died down, ‘we can begin to refine our defenses and alerts to hunt down the truly dangerous ones.’
More from CyberNews:
Subscribe to our newsletter