Since the news of Log4shell initially broke, a few news outlets have been stoking fear about an imminent attack from a devastating worm, from the usual suspects, armed with a Log4j exploit. A month later, and we still haven’t seen it — but why? And how is it actually being used?
The attack surface that a Log4j worm would have to target is very incongruous. Systems such as web servers are easy to mass scan and Java-based web applications like Elasticsearch and VMware Horizon have already been exploited in great numbers. Scanning the entire internet for a select few vulnerable services or even blindly pray-and-spraying every found web service with a payload can be done in a day.
Writing a worm for a scannable exploit is pretty much pointless. Worms like WannaCry made use of an SMBv1 service vulnerability in Windows systems meaning that the entire network could be compromised from a single exploit. Log4j, while devastating in it’s breadth, isn’t as ubiquitous as a default Windows service and the method of exploitation for this library will vary greatly depending on its implementation.
A Log4j worm would only affect the few machines running this library and internal uses of the library would be too varied to be predictable in any meaningful way. Even the operating system would
Additionally, the skill requirement of writing a worm is much higher than scanning. Only nation-state threat actors have the skill and resources to put together an impactful worm quickly enough to be competitive with scanning and even the efficacy of this is debatable.
Ransomware’s Current Modus Operandi
The biggest cyber-security threat is currently ransomware, but how would this exploit best be used in a ransomware attack? Hint — not with a worm! Log4j could provide an entry point for further exploitation to plant ransomware, destroy backups, open backdoors, but this is all manual or hands-on-keyboard work. Some less skill attackers may ransom the individual machine during the blind pray-and-spray attack mentioned earlier, but the primary M.O. of modern ransomware attackers is to gain entry, destroy backups, and ransom the entire network in order to more easily force payment of a high ransom.
The ransomware gangs are also in a race with middlemen known as “access brokers” who obtain the initial foothold into a network via a Log4j exploit, and then patch the exploit behind them. The barrier to entry here is low and the access is often sold to a more skilled third party who attempts a more comprehensive exploitation of the network before planting the ransomware.
How is it being used?
According to Microsoft Threat Intelligence Center (MTIC), “The vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. […] Microsoft has observed activities including installing coin miners, using Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.”
MTIC also notes the activity of 4 nation-state threat actors, which had the most potential for creating a worm (à la North Korea’s WannaCry), deploying ransomware and using Log4j as an entry point. They make no mention of observing any worms.
The Log4j exploit is a very high-profile and devastating bug meaning there’s a race against time between attackers and blue teams which a worm cannot compete with due to time-cost and unpredictable variables in exploitation. Most attacks have come in the form of mass scans that plant ransomware or crypto miners, and sophisticated hands-on-keyboards ransomware operations that gain control of the network.