How the internet looks to you right now depends on where you sit.

If you’re a normal user, you’ve may have heard about Log4Shell—the vulnerability also known as Log4J or CVE-2021-44228, which was disclosed by Apache on Friday, December 10. You may have even browsed a story or a few headlines about and wondered what all the fuss is about. But if you work behind the scenes at many–if not most–technology companies, you’ve probably been working almost non-stop to patch this vulnerability and contain any possible exploit. And your eyes are surely blurring over as you read this.

Erka Koivunen, F-Secure’s Chief Information Officer, explained why it’s so difficult to see what’s going on with Log4Shell for those using the internet—and even to those who may be trying to fix their little part of the internet—with a plumbing analogy.

“The activation of this vulnerability doesn’t happen on the frontend services you interact with,” he said. “The poison goes down the plumbing deep inside the Service Provider backend where it starts to detonate or otherwise execute.”

The problem with plumbing is that much of it is connected.

“For example, imagine I live in an apartment complex and I flushed something I shouldn’t have. The material might successfully leave my apartment, travel to the sever duct underneath the next intersection or all the way to the wastewater treatment facility further uptown. There it might block the plumbing and burst a pipe.”

And when people see an IT Service Provider infrastructure burst, they may get ideas.

“People start thinking, ‘What else can I flush down my toilet?” They may do it just for the pleasure of finding things out. Or some people just like to watch the world burn, it seems.”

Listen to Erka discuss what Log4Shell means to your organization on the new episode of our Cyber Security Sauna.

Our last post focused on an overview of the Log4Shell situation, how F-Secure customers were affected, and what can and is being done to mitigate this global threat. F-Secure continues to add detection capabilities to our solutions as the situation develops. (UPDATE: F-Secure released a tool on December 16th that makes it easy to verify if the patches have been applied. The download is available here.)

This post takes a look at the actual threats attackers are trying deploy through this potential gaping hole in networks everywhere. Our threat hunters and other cyber security experts have been monitoring networks have seen the following payloads delivered thus far:

• Deployment of crypto-currency mining software such as xmrig/kinsing
• Deployment of botnets Mirai and Tsunami
• Deployment of Cobalt Strike
• Deployment of Orcus RAT
• Ransomware deployment
• Reverse shells

There are reports that Khonsari ransowmare has been observed as a payload in a successful exploitation. As we know from many incidents in the past, attack tools such as CobaltStrike, remote access trojans and reverse shells may very well be utilized to establish an initial access, paving the way for wider scale ransomware attacks.

The problem with plumbing is that much of it is connected.

“For example, imagine I live in an apartment complex and I flushed something I shouldn’t have. The material might successfully leave my apartment, travel to the sever duct underneath the next intersection or all the way to the wastewater treatment facility further uptown. There it might block the plumbing and burst a pipe.”

And when people see an IT Service Provider infrastructure burst, they may get ideas.

“People start thinking, ‘What else can I flush down my toilet?” They may do it just for the pleasure of finding things out. Or some people just like to watch the world burn, it seems.”

Listen to Erka discuss what Log4Shell means to your organization on the new episode of our Cyber Security Sauna.