Source: Hackers’ interest in Log4Shell began to fade – Cobalt Strike Cybersecurity | Cobaltstrike.NET
After the initial hype in December last year, cybercriminals seem to have lost interest in the sensational Log4Shell vulnerability.
Vulnerability CVE-2021-44228 is present in the Apache Log4j logging utility. Details about it were revealed at the end of last year and caused a huge resonance, since the utility is used in a variety of products, and the vulnerability turned out to be very easy to operate. According to the latest ICS SANS report, exploitation attempts were recorded almost immediately after disclosure. At the same time, mass Internet scans began in search of vulnerable applications and for testing exploits.
However, the surge of attacks lasted only three weeks, and then the hackers’ interest in Log4Shell began to cool down. The same conclusions were reached
specialists of the Sophos information security company. According to them, the reason is that the Java ecosystem is too complex, and the Log4j library is implemented in each product in its own way, which means it is impossible to create any one universal exploit. There were attempts to create such a tool, but in the end they all turned out to be a failure.
In order to exploit the vulnerability, hackers first need to reverse engineer a Java application, understand where and how Log4j is used in it, and then try various exploit options in search of the most suitable one. This process is too complicated and time-consuming, and cybercriminals have lost interest in it.
After attempts to exploit the vulnerability reached a plateau, coordinated mass attacks still took place periodically, but only when new PoC exploits were published.
Nevertheless, despite the small number of scans in search of Log4Shell and attempts to exploit it, Sophos experts recommend that security teams do not discount it.
The surge in scans last December may be
partly due to attempts by security researchers to check the status
of updates to the Java ecosystem. Now the number of attacks has decreased, but these are
real, malicious attacks.