The Race to the Vulnerable: Measuring the Log4j Shell Incident
Raphael Hiesgen, Marcin Nawrocki, Thomas C. Schmidt, Matthias, W\"ahlisch
TL;DR
This paper analyzes the rapid response to the Log4j Shell vulnerability, showing that benign scanning decreased quickly while malicious targeting persisted over two months after disclosure.
Contribution
It provides a detailed measurement of scanner activity post-disclosure, highlighting differences between benign and malicious actors over time.
Findings
Benign scanners peaked immediately after disclosure and then declined.
Malicious scanners continued targeting the vulnerability for at least two months.
Scanner activity patterns differ significantly between researchers and attackers.
Abstract
The critical remote-code-execution (RCE) Log4Shell is a severe vulnerability that was disclosed to the public on December 10, 2021. It exploits a bug in the wide-spread Log4j library. Any service that uses the library and exposes an interface to the Internet is potentially vulnerable. In this paper, we measure the rush of scanners during the two months after the disclosure. We use several vantage points to observe both researchers and attackers. For this purpose, we collect and analyze payloads sent by benign and malicious communication parties, their origins, and churn. We find that the initial rush of scanners quickly ebbed. Especially non-malicious scanners were only interested in the days after the disclosure. In contrast, malicious scanners continue targeting the vulnerability.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Cloud Data Security Solutions