The Log4j Incident: A Comprehensive Measurement Study of a Critical Vulnerability
Authors: 
Raphael Hiesgen, Marcin Nawrocki, 
Thomas C. Schmidt, 
Matthias WählischAuthors Info & Claims
Raphael Hiesgen, Marcin Nawrocki, Thomas C. Schmidt, Matthias WählischAuthors Info & ClaimsPages 5921 - 5934
Abstract
On December 10, 2021, Log4Shell was disclosed to the public and was quickly recognized as a most severe vulnerability. It exploits a bug in the wide-spread Log4j library that allows for critical remote-code-execution (RCE). Any service that uses this library and exposes an interface to the Internet is potentially vulnerable. In this paper, we report about a measurement study starting with the day of disclosure. We follow the rush of scanners during the first two months after the disclosure and observe the development of the Log4Shell scans in the subsequent year. Based on traffic data collected at several vantage points we analyze the payloads sent by researchers and attackers. We find that the initial rush of scanners ebbed quickly, but continued in waves throughout 2022. Benign scanners showed interest only in the first days after the disclosure, whereas malicious scanners continue to target the vulnerability. During both periods, a single entity appears responsible for the majority of the malicious activities.
References
[1]
( MITRE Corp., McLean, VA, USA). CVE-2015-0565. Feb. 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0565
[2]
P. Kocher et al., “Spectre attacks: Exploiting speculative execution,” Commun. ACM, vol. 63, no. 7, pp. 93–101, Jun. 2020.
[3]
( MITRE Corp., McLean, VA, USA). CVE-2017-5753. Feb. 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5753
[4]
( MITRE Corp., McLean, VA, USA). CVE-2017-5715. Feb. 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5715
[5]
Z. Durumeric et al., “The matter of Heartbleed,” in Proc. ACM IMC, 2014, pp. 475–488.
[6]
( MITRE Corp., McLean, VA, USA). CVE-2014-0160. Feb. 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160
[7]
M. Nawrocki, P. F. Tehrani, R. Hiesgen, J. Mücke, T. C. Schmidt, and M. Wählisch, “On the interplay between TLS certificates and QUIC performance,” in Proc. 18th Int. Conf. Emerg. Netw. Exp. Technol. (CoNEXT), 2022, pp. 204–213. [Online]. Available: https://dl.acm.org/doi/10.1145/3555050.3569123
[8]
E. Osterweil, P. F. Tehrani, T. C. Schmidt, and M. Wählisch, “From the beginning: Key transitions in the first 15 years of DNSSEC,” Trans. Netw. Service Manag., vol. 19, no. 4, pp. 5265–5283, Dec. 2022. [Online]. Available: https://doi.org/10.1109/TNSM.2022.3195406
[9]
N. Rodday et al., “The resource public key infrastructure (RPKI): A survey on measurements and future prospects,” IEEE Trans. Netw. Service Manag., vol. 21, no. 2, pp. 2353–2373, Apr. 2024. [Online]. Available: https://doi.org/10.1109/TNSM.2023.3327455
[10]
( Stack Overflow, New York, NY, USA). Here’s How Stack Overflow Users Responded to Log4Shell, The Log4j Vulnerability Affecting Almost Everyone. Feb. 2022. [Online]. Available: https://stackoverflow.blog/2022/01/19/heres-how-stack-overflow-users-responded-to-log4shell-the-log4j-vulnerability-affecting-almost-everyone/
[11]
K. Huang, M. Siegel, and S. Madnick, “Systematically understanding the cyber attack business: A survey,” ACM Comput. Surv., vol. 51, no. 4, pp. 1–36, Jul. 2018. [Online]. Available: https://doi.org/10.1145/3199674
[12]
P. F. Tehrani, E. Osterweil, J. Schiller, T. C. Schmidt, and M. Wählisch, “Security of alerting authorities in the WWW: Measuring namespaces, DNSSEC, and Web PKI,” in Proc. 30th Web Conf., 2021, pp. 2709–2720. [Online]. Available: https://doi.org/10.1145/3442381.3450033
[13]
P. F. Tehrani, R. Hiesgen, T. Lübeck, T. C. Schmidt, and M. Wählisch, “Do CAA, CT, and DANE interlink in certificate deployments? A web PKI measurement study,” in Proc. Netw. Traffic Meas. Anal. Conf. (TMA), Piscataway, NJ, USA, 2024, pp. 1–11. [Online]. Available: https://doi.org/10.23919/TMA62044.2024.10559089
[14]
R. Hiesgen, M. Nawrocki, T. C. Schmidt, and M. Wählisch, “The race to the vulnerable: Measuring the Log4j shell incident,” in Proc. Netw. Traffic Meas. Anal. Conf. (TMA), 2022, pp. 1–9. [Online]. Available: https://tma.ifip.org/2022/wp-content/uploads/sites/11/2022/06/tma2022-paper40.pdf
[15]
( Apache, Houston, TX, USA). Apache Log4j Security Vulnerabilities. Feb. 2022. [Online]. Available: https://logging.apache.org/log4j/2.x/security.html
[16]
( MITRE Corp., McLean, VA, USA). CVE-2021-44228. Feb. 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
[17]
R. Goers. “Restrict LDAP access via JNDI.” Feb. 2022. [Online]. Available: https://github.com/apache/logging-log4j2/pull/608
[18]
( MITRE Corp., McLean, VA, USA). CVE-2021-45046. Feb. 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
[19]
( MITRE Corp., McLean, VA, USA). CVE-2021-45105. Feb. 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
[20]
( MITRE Corp., McLean, VA, USA). CVE-2021-44832. Feb. 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
[21]
( NIST, Gaithersburg, MD, USA). CVE-2021-44228 Detail. Feb. 2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
[22]
“Understanding the impact of Apache Log4j vulnerability.” Google. Feb. 2022. [Online]. Available: https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html
[23]
( Apache, Houston, TX, USA). JNDI Lookup Plugin Support. Feb. 2022. [Online]. Available: https://issues.apache.org/jira/browse/LOG4J2-313
[24]
“Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first.” South China Morning Post. Feb. 2022. [Online]. Available: https://www.scmp.com/tech/big-tech/article/3160670/apache-log4j-bug-chinas-industry-ministry-pulls-support-alibaba-cloud
[25]
“Chinese regulators suspend Alibaba Cloud over failure to report Log4j vulnerability.” ZDNet. Feb. 2022. [Online]. Available: https://www.zdnet.com/article/log4j-chinese-regulators-suspend-alibaba-partnership-over-failure-to-report-vulnerability/
[26]
“Matthew Prince (Cloudflare).” Feb. 2022. [Online]. Available: https://twitter.com/eastdakota/status/1469800951351427073
[27]
( Cisco Talos, Fulton, MD, USA). Threat Advisory: Critical Apache Log4j Vulnerability Being Exploited in the Wild. Feb. 2022. [Online]. Available: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
[28]
“Threat alert: Log4j vulnerability has been adopted by two Linux Botnets.” 360 Netlab. Feb. 2022. [Online]. Available: https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/
[29]
( Juniper, Sunnyvale, CA, USA). Log4j Attack Payloads in the Wild. Feb. 2022. [Online]. Available: https://blogs.juniper.net/en-us/security/in-the-wild-log4j-attack-payloads
[30]
J. Khoury, M. Safaei Pour, and E. Bou-Harb, “A near real-time scheme for collecting and analyzing IoT malware artifacts at scale,” in Proc. ARES, 2022. pp. 1–11. [Online]. Available: https://doi.org/10.1145/3538969.3539009
[31]
( Microsoft, Redmond, WA, USA). Guidance for Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability. Feb. 2022. [Online]. Available: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
[32]
D. Everson, L. Cheng, and Z. Zhang, “Log4shell: Redefining the Web attack surface,” in Proc. MADWeb, 2022, pp. 1–8.
[33]
A. Muñoz and O. Mirosh. “A journey from JNDI/LDAP manipulation to remote code execution dream land.” Feb. 2022. [Online]. Available: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf
[34]
R. Hiesgen, M. Nawrocki, A. King, A. Dainotti, T. C. Schmidt, and M. Wählisch, “Spoki: Unveiling a new wave of scanners through a reactive network telescope,” in Proc. 31st USENIX Secur. Symp., Berkeley, CA, USA, 2022, pp. 431–448. [Online]. Available: https://www.usenix.org/system/files/sec22-hiesgen.pdf
[35]
D. Charousset, R. Hiesgen, and T. C. Schmidt, “CAF—The C++ actor framework for scalable and resource-efficient applications,” in Proc. 5th ACM SIGPLAN Conf. Syst., Program., Appl. (SPLASH), New York, NY, USA, 2014, pp. 15–28.
[36]
J. Kepner et al., “Spatial temporal analysis of 40,000,000,000,000 Internet darkspace packets,” in Proc. IEEE High Perform. Extreme Comput. Conf. (HPEC), 2021, pp. 1–8.
[37]
M. Nawrocki, M. Wählisch, T. C. Schmidt, C. Keil, and J. Schönfelder, “A survey on honeypot software and data analysis,” 2016, arXiv:1608.06249.
[38]
M. Nawrocki, J. Kristoff, C. Kanich, R. Hiesgen, T. C. Schmidt, and M. Wählisch, “SoK: A data-driven view on methods to detect reflective amplification DDoS attacks using honeypots,” in Proc. IEEE Euro Security Privacy, 2023, pp. 576–591. [Online]. Available: https://doi.org/10.1109/EuroSP57164.2023.00041
[39]
( CAIDA, La Jolla, CA, USA). The UCSD Network Telescope. 2012, Accessed: May 2022. [Online]. Available: https://www.caida.org/projects/network_telescope/
[40]
F. Roth. “Log4shell-detector.” Dec. 2021. [Online]. Available: https://github.com/Neo23x0/log4shell-detector
[41]
“MaxMind—GeoLite country.” Accessed: Sep. 22, 2023. [Online]. Available: https://www.maxmind.com/app/geoip_country
[42]
I. Poese, S. Uhlig, M. A. Kaafar, B. Donnet, and B. Gueye, “IP geolocation databases: Unreliable?” ACM SIGCOMM Comput. Commun. Rev., vol. 41, no. 2, pp. 53–56, Apr. 2011.
[43]
“The interconnection database.” PeeringDB. 2019. [Online]. Available: https://www.peeringdb.com/
[44]
“IP lookup API.” GreyNoise. Accessed: Jan. 10, 2024. [Online]. Available: https://greynoise.io
[45]
A. Dainotti, A. King, K. Claffy, F. Papale, and A. Pescapè, “Analysis of a ‘/0’ stealth scan from a botnet,” IEEE/ACM Trans. Netw., vol. 23, no. 2, pp. 341–354, Apr. 2015.
[46]
M. Antonakakis et al., “Understanding the Mirai botnet,” in Proc. 26th USENIX Secur. Symp. 2017, pp. 1093–1110.
[47]
“Google-crawler (user-agents).” Google. May 2022. [Online]. Available: https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers
[48]
G. Tyson et al., “Exploring HTTP header manipulation in-the-wild,” in Proc. WWW, 2017, pp. 451–458.
[49]
( Juniper, Sunnyvale, CA, USA). Log4j Vulnerability: Attackers Shift Focus From LDAP to RMI. Feb. 2022. [Online]. Available: https://blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi
[50]
P. Richter and A. Berger, “Scanning the scanners: Sensing the Internet from a massively distributed network telescope,” in Proc. Internet Meas. Conf., New York, NY, USA, 2019, pp. 144–157.
[51]
M. Smith and T. Howes, “Lightweight directory access protocol (LDAP): Uniform resource locator,” Internet Eng. Task Force, RFC 4516, Jun. 2006. [Online]. Available: https://doi.org/10.17487/RFC4516
[52]
“VirusTotal.” Accessed: Jan. 5, 2024. [Online]. Available: https://www.virustotal.com/
[53]
Z. Durumeric, E. Wustrow, and J. A. Halderman, “ZMap: Fast Internet-wide scanning and its security applications,” in Proc. 22nd USENIX Secur. Symp., Berkeley, CA, USA, 2013, pp. 605–620.
[54]
“Log4Shell still has sting in the tail.” Dec. 2022. [Online]. Available: https://spectrum.ieee.org/log4shell-log4j-still-stings
[55]
( Cybersecur. Infrastruct. Secur. Agency, Washington, DC, USA). Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems. Jun. 2022. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-174a
[56]
L. Grustniy. “Log4Shell a year on—A year after discovery, the Log4Shell vulnerability is still making itself felt.” Dec. 2022. [Online]. Available: https://usa.kaspersky.com/blog/log4shell-still-active-2022/27531/
[57]
M. Collins. “Acknowledged scanners.” 2022. [Online]. Available: https://gitlab.com/mcollins_at_isi/acknowledged_scanners
[58]
S. Tal. “I hunt TR-069 admins: DEF CON 22 talk.” 2017. [Online]. Available: https://defcon.org/images/defcon-22/dc-22-presentations/Tal/DEFCON-22-Shahar-TaI-I-hunt-TR-069-admins-UPDATED.pdf
[59]
M. Hils and R. Böhme, “Watching the weak link into your home: An inspection and monitoring toolkit for TR-069,” in Proc. ACNS, 2020, pp. 233–253. [Online]. Available: https://doi.org/10.1007/978-3-030-57878-7_12
[60]
B. Krebs. “New Mirai worm knocks 900K Germans offline.” 2016. [Online]. Available: https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/
[61]
“Shodan—Search engine for the Internet of everything,” Shodan. 2014. [Online]. Available: https://www.shodan.io/
[62]
“xmrig_setup.” C3Pool. Jul. 2023. [Online]. Available: https://github.com/C3Pool/xmrig_setup
[63]
( Nat. Cyber Secur. Centrum, London, U.K.). Log4shell Vulnerabilities. Feb. 2022. [Online]. Available: https://github.com/NCSC-NL/log4shell
[64]
D. Everson, A. Bastola, R. Mittal, S. Munde, and L. Cheng, “A comparative study of Log4Shell test tools,” in Proc. SecDev, 2022, pp. 16–22.
[65]
“MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations,” Microsoft. Aug. 2022. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
[66]
“North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies.” Sep. 2022. [Online]. Available: https://techcrunch.com/2022/09/08/north-korea-lazarus-united-states-energy/
[67]
( Cybersecur. Infrastruct. Secur. Agency, Washington, DC, USA). Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester, Nov. 2022. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
[68]
B. Toulas. “Log4shell exploits now used mostly for DDoS botnets, cryptominers.” Mar. 2022. [Online]. Available: https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/
[69]
P. Muncaster ( Infosecur. Mag., Richmond, VA, USA). Impact of Log4Shell Bug was Overblown, Say Researchers. 2023. [Online]. Available: https://www.infosecurity-magazine.com/news/impact-log4shell-overblown/
Index Terms
- The Log4j Incident: A Comprehensive Measurement Study of a Critical Vulnerability
Index terms have been assigned to the content through auto-classification.
Recommendations
A Measurement Study on Linux Container Security: Attacks and Countermeasures
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications ConferenceLinux container mechanism has attracted a lot of attention and is increasingly utilized to deploy industry applications. Though it is a consensus that the container mechanism is not secure due to the kernel-sharing property, it lacks a concrete and ...
Vulnerability Mitigation of Multiple Spatially Localized Attacks on Critical Infrastructure Systems
AbstractRecently, many studies have analyzed critical infrastructure vulnerability under spatially localized attack (SLA), which is modeled as the failure of a set of infrastructure components, distributed in a spatially localized area, due to malicious ...
A comprehensive study of cyber attacks & counter measures for web systems
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed SystemsTechnology is growing rapidly and data is being stored on online servers. As technology is evolving, on the other side it is opening doors for cyber crimes. Attackers are continually developing new methods, tools and techniques to deface online systems. ...
Comments
Information & Contributors
Information
Published In
© 2024 The Authors. This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
Publisher
IEEE Press
Publication History
Published: 01 December 2024
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 01 Mar 2025