Attackers still exploiting Log4J vulnerability.
In mid-December 2021, the German Federal Office for Information Security (BSI) issued a red alert for the Log4J (also known as Log4Shell) vulnerability. Even back then, the authority was warning that cyber criminals were actively exploiting the vulnerability. These fears are currently proving true, as the current threat report from G DATA CyberDefense shows. Instead of new waves of attacks, cyber criminals are currently launching targeted attacks on companies that they had already infiltrated using the vulnerability at the end of last year. Back then, the attackers installed backdoors which went unnoticed. They are now exploiting these and smuggling additional malicious code into the network - up to and including the encryption of data. Particularly alarming is the fact that not all companies have closed this vulnerability yet. This means that they are still a potential target for cyber criminals, who have the appropriate tools for finding and infiltrating these exposed systems.
“Unfortunately, what we had predicted at the beginning of the year about the exploitation of the Log4J vulnerability is currently materializing”, says Tim Berghoff, Security Evangelist at G DATA CyberDefense. “Because of the ease of exploitation, criminals started by stockpiling hundreds of thousands of systems and have only recently begun to monetise these infections, for example by uploading ransomware. Those who installed the available security update early should be on the safe side.”
The number of new cyber attacks is declining, as it did in the second quarter. Comparing the third quarter of 2022 to the second, the number of averted attacks fell by 13.7 percent. The decline is greater for consumers than for businesses. The number of averted attacks on business customers fell by 7.5 per cent from the second quarter to the third, and by almost 15 per cent for private customers.
New attack routes into networks
Cyber criminals are currently using the malware Berbew, Neojitt and Formbook to attack systems. Berbew is a Trojan that reads passwords and sends them to a remote web server. Berbew also acts as a web proxy, allowing attackers to use the infected system as a relay for remote access to other systems. Cyber criminals distribute the Trojan via email as an attachment containing malware or via data sharing programs.
FormBook is an infostealer that exfiltrates data from infected systems, such as credentials cached in web browsers or screenshots. In addition, it also functions as a downloader, allowing attackers to execute malicious files on an infected system. Formbook is so widespread because it is marketed on underground forums at a low price under a malware-as-a-service (MaaS) model.
No reason to sound the all-clear
Despite the declining numbers, overall IT security in Germany is less than ideal. Attackers are consistently exploiting security gaps to compromise companies. Inattentive employees are also repeatedly opening the door to the network for cyber criminals when they fall for phishing emails and open attachments with malicious code or disclose access data on fake websites. Many companies still have some catching up to do in this area - both in terms of technological protection measures and security awareness.