Security Experts:

Threat Groups Reportedly Working on Log4Shell Worm

Log4Shell worm

Experts Comment on Concerns Related to Log4Shell Worm

Multiple threat groups are reportedly working on developing a worm that leverages the recently disclosed Log4j vulnerability, but many experts say that — if such a worm is created — it may not be as bad as it sounds.

It recently came to light that the widely used Log4j logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, including profit-driven cybercriminals and state-sponsored groups. The vulnerability is tracked as CVE-2021-44228 and it has been dubbed Log4Shell and LogJam.

According to researcher Greg Linares, at least three groups — ones that have been linked to Eastern Europe, Russia and China — are looking into creating a Log4Shell worm, mostly for financially-motivated attacks that involve extortion or selling access to compromised hosts to ransomware groups.

Linares said on December 13 that he had seen evidence suggesting that a worm would be developed in the next 24 to 48 hours, but there are currently no confirmed reports of such a worm spreading in the wild.

While the researcher’s claims have led to concerns that we might see another significant attack, such as in the case of WannaCry or NotPetya, several experts pointed out that a Log4j worm is not easy to develop and it might not even be a priority for malicious actors.

Comments on Log4Shell worm

“I think the fears of a worm are overblown,” said researcher Marcus Hutchins, who in 2017 found a way to disrupt the WannaCry attack. “Firstly, there's already mass exploitation (you can spray the entire internet from one server). Secondly, worms take time and skill to develop, but most attackers are racing against the clock (patching and other attackers).”

“Also, due to the nature of the exploit there's no standard way to exploit it. People have [resorted] to crudely stuffing the payload into HTTP requests, which you don't need a worm to do. A worm would need a novel exploitation technique to gain any real value over scanning,” the researcher added.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, agrees that developing this type of malware takes a significant amount of time and effort, and there “hasn’t been any evidence to suggest this is a priority for threat actors at this time.”

“This activity differs from the Wannacry incident, which saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue. It’s still very much early days with regards to Log4j. While many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations. Efforts among actors at this stage are rushing to exploit before companies have a chance to patch, rather than spending time developing a worm,” Morgan said.

John Bambenek, principal threat hunter at Netenrich, pointed out that a worm would have posed a bigger risk when the vulnerability was disclosed, but at this point — while there likely still are many vulnerable devices out there — many affected systems have already been patched or are protected by WAF rules.

Jake Williams, co-founder and CTO at BreachQuest, noted, “The vast majority of servers vulnerable to Log4Shell will be running the vulnerable process with very limited permissions. In most cases, a worm exploiting Log4Shell would probably not be able to achieve persistence across process restarts. Additionally, because the process probably doesn't have filesystem permissions, we should be less worried about ransomware payloads. A malicious process can’t encrypt what it can’t write in the first place.”

“While we should absolutely expect a Log4Shell worm to be created, we shouldn’t conflate the expected damage of a worm with what has been seen in previous high profile worms,” Williams added.

Yaniv Balmas, VP of security research at Salt Security, believes a wormable exploit is “definitely a valid scenario” and it’s very likely that someone will embed the Log4Shell vulnerability into a worm that “will be almost impossible to stop once it reaches a critical mass.”

However, the expert pointed out that malicious actors don’t currently need a worm to easily launch Log4Shell attacks against millions of online services, and the extent of the damage could be even higher than in the case of a worm, which is automated and works “blindly.”

Casey Ellis, founder and CTO at Bugcrowd, also commented, pointing out, “While it can be argued that malicious attackers have more than ample opportunity to achieve their goals with Log4Shell without engineering a self-propagation mechanism, there is also a ‘hobbyist’ motivation around worming the exploit. Historically, many of the worms that were most impactful on the Internet were research projects which ended up being unexpectedly successful.”

Related: Log4Shell Tools and Resources for Defenders - Continuously Updated

Related: Industrial Organizations Targeted in Log4Shell Attacks

Related: Problematic Log4j Functionality Disabled as More Security Issues Come to Light

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.