Google Cloud offers good news and bad news on Log4Shell, other issues
Google Cloud is seeing 400,000 scans per day for systems vulnerable to the Log4Shell bug, the company said Tuesday.
The findings — released as part of the company’s semi-regular Threat Horizons report — show that IT security professionals need to “keep paying attention to this, because the scans keep coming, and if you leave one vulnerable instance open, you’re going to be found,” Phil Venables, the chief information security officer at Google Cloud, told CyberScoop.
That said, the companies interacting with Google Cloud have “been very much on top of this,” according to Venables. The warning comes as a reminder, however, to security professionals to keep doing the work of finding the devices and software vulnerable to the Log4Shell bug, which affects versions of the widely used Log4j logging software that haven’t been patched since early December.
Shane Huntley, the head of Google’s Threat Analysis Group, said that the daily scan numbers are not a direct measure of the threat. Rather, “it is now just background that if you are vulnerable to this on the internet you could be compromised,” he said. “You need to be aware that this is going on full time.”
Google Cloud’s data suggests that scans daily scans may have peaked in the weeks following Log4j’s discovery above the 400,000 per day figure, but some of that reflected security researchers and others trying to figure it out, Huntley said. But now, the problem could be worse in some ways because “people are doing this for real in a systematic way versus some of the early scanning.” Either way, “this will be a background threat to the internet now like other vulnerabilities have been.”
The data comes as part of the second Threat Horizons report, which was first published in November. It’s meant as a periodic briefing for CISOs and others in the information security space to get insights into threats Google Cloud and other security teams within the software giant are seeing.
A North Korean threat
The report also touches on an internet domain identified in March 2021 by Google’s Threat Analysis Group as being part of a North Korean campaign to target individual security researchers. It was flagged in November 2021 by security firm ESET as being used to distribute trojanized software. Over the last year and more, Google notes in the new report, the North Korean hackers launched “multiple campaigns” against the security and vulnerability research community as part of this effort.
The information was highlighted in the Threat Horizons report because CISOs and others should know that their researchers “are facing potentially these sorts of risks,” Huntley told CyberScoop. “It’s ongoing activity, but it sort of comes and goes in waves as they get called out.”
One of the security researchers targeted as part of the North Korea claims to have recently taken down North Korea’s internet for a short period, Wired reported Feb. 2.
Other items in the report include growing attacks using Sliver, an open-source alternative to the famous Cobalt Strike, which is designed to emulate how adversaries attack a network, but also can be used by malware actors. The built-in tools and abilities prized by industry “red teams” also make the software desirable for malicious attackers.
Similarly, the Google Cloud report details how attackers have been observed abusing the “Cloud Shell” feature of the company’s services to serve as a means for attackers to use the platform for other attacks.
“This is a growing element within the attacks customers are seeing,” Venables said, noting that only a “very small percentage” of Google Cloud customers are seeing this activity when they don’t maintain sufficient security.