Log4j vulnerability exploited 50 times more than ProxyLogon

The zero-day exploit found in the Java-based logging framework Log4j had nearly 50 times the activity volume compared to ProxyLogon, a Microsoft exchange server vulnerability, measured on peak 10-day average volume in the second half of 2021, according to a study by Cybersecurity provider Fortinet.

The zero-day exploit is a software vulnerability that hackers use to attacks systems. 

According to the report, attacks are much prevalent on Linux systems, a lot of which is in the form of executable and linkable format (ELF). 

“The rate of new Linux malware signatures distributed to our AV sensors in Q4 of 2021 quadrupled that of Q1. That’s not exactly a meteoric rise, but it’s not something to ignore either. Such growth in variants and spread suggests that Linux malware is moving up in the cyber adversary arsenal,” stated the report. 

Cybercriminals are developing their use of botnets beyond distributed denial-of-service (DDoS) attacks. Cybercriminals are using more sophisticated attack methods, including ransomware. 

“Several security vendors reported observing threat actors — including operators of crypto miners, ransomware tools, and botnets like Mirai — integrating exploits for the Log4j vulnerability into their attack kits,” the report said. 

The report highlighted that botnet activity was observed being associated with a new variant of the RedXOR malware, which targets Linux systems for data exfiltration and leapt into Fortinet’s top 10 list in October. A malicious implementation of the Beacon feature of Cobalt Strike called Vermilion Strike can target Linux systems with remote access capabilities. Log4j is another example of a recent attack where we are seeing Linux binaries being used to capitalise on the opportunity. 

Fortinet said, specific detections vary across global regions, but can be largely grouped into leveraging three broad distribution mechanisms: Microsoft Office executables (MSExcel/, MSOffice/), PDF files, and browser scripts (HTML/, JS/). Such techniques continue to be a popular way for cybercriminals to exploit people’s desire for the latest news about the pandemic, politics, sports, or other headlines, and to then find entryways back to corporate networks. With hybrid work and learning remaining a reality, there are fewer layers of protection between malware and would-be victims.