Log4Shell attacks have spread throughout the Internet due to the ease with which attackers can perform them. The WatchGuard Threat Lab sees a sample of these attacks from our customers’ perspectives when they opt to provide anonymized threat intelligence data from their Fireboxes. This limited data, along with our analysis, gives us a unique opportunity to review some of the real-world Log4j attacks happening on the Internet.
We searched our data from when Log4Shell was first disclosed until now for signs of these attacks. We detected two recent vulnerabilities targeting log4j; CVE-2021-44228, the big one, and CVE-2021-45105. CVE-2021-45105 only accounted for 1% of the total detections. Note, we searched for detections on other recent vulnerabilities in log4j unrelated to the preview CVEs mentioned but didn’t find any.
The data shows 12.6% of reporting Fireboxes have seen (and successfully blocked) attackers trying to exploit this vulnerability, for a total of 37,463 detections. This makes it the fifth most-detected IPS attack family for the month of December. This may not seem so bad at first, but we know only one in four devices scan encrypted traffic and even less have hosted services behind it. We suspect that close to all, if not all, devices that have services hosted behind a Firebox and scanned for this vulnerability have detected a related signature. All detections of the attack came over an encrypted connection, as reported by devices that have enabled that ability. Some device owners haven’t enabled our built-in capability to inspect and detect threats within encrypted (SSL/TLS) traffic.
Europe, the Middle East, and Africa (EMEA) saw the most detections, with 22,784 total. North, Central and South America (AMER) saw 13,152 detections. Asia-Pacific (APAC) saw 1,527 detections. Of all those regions, Germany saw the most as a country, at 10,502, followed closely by the US at 10,147, and Italy rounds out the top three with 2,723 detections. Accounting for the varied number of reporting Fireboxes in each region, AMER saw 43%, EMEA 33%, and APAC 24% of detections.
Security blog readers like you probably don’t need a lesson on updating your software, but this type of critical, easy to exploit, and ubiquitous vulnerability spreads to every inch of the Internet quicker than many can respond. As the data shows, a massive amount of effort has been put into scanning the Internet for these vulnerabilities. You can’t always block every vulnerability (though our Firebox detections show we are doing a good job), but you can prevent these flaws from interfering with business operations by segmenting networks and making backups of important data. Know that anyone who hasn’t updated their vulnerable software and doesn’t have protection has most likely been put on a list of known vulnerable networks by potential adversaries.