Security researchers have theorized that rising exploits of the critical vulnerability in Log4J could soon worsen as cyber criminals continue to find new ways around the ongoing implementation of Microsoft’s anti-phishing measures.
Introduced in 2022 after the IT community demanded it for years, Microsoft blocked the enablement of VBA macros in Office documents by default.
It meant that one of the leading methods of distributing malware via Office documents and phishing emails was effectively nullified - a major boon to defenders.
Since then, researchers at ESET have noticed a rise in exploits targeting the Log4J vulnerability across the world.
While the reason for the increase in attempts isn’t currently clear to researchers, the possibility that cyber criminals are looking for new ways to carry out attacks now phishing with malicious documents has become more difficult.
ESET’s researchers said that, while it’s just a theory, this rise may continue as cyber criminals look for effective ways to achieve their goals now one of their most favored tactics has been thwarted.
“If you look at the numbers globally, we have seen 166 million attacks [in 2022]... and in 2023, the numbers were going up by 13%,” said Ondrej Kubovič, security awareness specialist at ESET, about the latest data on Log4J exploit attempts.
“So, knowing that there are new systems being introduced with Log4J, and our statistics are showing this, then we can say that Log4J is still interesting for the attackers, and with VBA [macros] being closed down and OneNote being closed down, this might get worse.”
The latest Log4J numbers
Despite Log4Shell not being as devastating as the community initially thought it would be, it remains highly exploited - the second-most used exploit method, according to ESET’s telemetry, behind password guessing.
The popularity of exploiting the vulnerability is also expected to increase not just because of Microsoft’s anti-phishing measures, but also because of the number of vulnerable downloads that are still made.
ESET said in its T3 2022 Threat Report that as many as a quarter of all new Log4J library downloads are of the vulnerable version, even though patched and secure versions have been available since December 2021.
State of ransomware readiness 2022
Reducing the personal and business cost
IBM’s figures paint an even darker picture, suggesting that nearly half (40%) are still vulnerable to the flaw that received a maximum 10/10 rating on the CVSSv3 severity scale.
In just the last seven days, 32% of Log4J downloads were of the vulnerable version, Sonatype’s data showed.
As of September 2022, the number of blocked Log4J exploit attempts in the UK sat at 13.4 million, ESET said, roughly 12% of the global 166 million attempts.
This represented a 15% year-on-year increase, one that was generally in line with the figures for countries across the world.
Poland’s figures were amongst the highest out of any country in the world with a 30% increase in attacks.
ESET could not offer a definitive explanation for these markedly high attack attempts and neither could the Polish national computer emergency response team (CERT) after consulting with the security researchers.
Ukraine’s CERT issued an alert at around this time warning of Russia’s changing tactics, favoring vulnerability exploits as opposed to attack techniques used earlier in the conflict, though a strong link between the nation’s activity and Log4J exploits in Poland has not been established.
Blocking VBA macros: How effective has it been?
In the year since Microsoft rolled out the changes to Office documents, blocking VBA macros by default, data has shown a dramatic reduction in attacks.
Proofpoint’s figures from the back end of 2022 showed a 66% drop in macro-enabled attack attempts, a trend that continued through the first half of 2023 with macros “barely” making an appearance in campaign data.
“The cyber criminal ecosystem has experienced a monumental shift in activity and threat behavior over the last year in a way not previously observed by threat researchers, the security company said.
“Financially motivated threat actors that gain initial access via email are no longer using static, predictable attack chains, but rather dynamic, rapidly changing techniques.”
The findings in Proofpoint’s data were also corroborated by researchers at ESET in private media briefings.
Attackers pivoting to OneNote
After Microsoft put an end to macro-enabled Office documents, attackers soon realized that the company’s note-taking app OneNote could be exploited in a similar way to how Word and Excel were before 2022.
An increase in attacks was reported by various security firms earlier this year involving OneNote files, which still allowed the embedding of various files in documents, including executables.
A typical scenario would see an email sent to a victim and attached to it was a mostly empty OneNote document.
Attackers would create a large text box reading ‘Click to open document’, or a similar message, but behind that text box would be a number of links to batch files that would be clicked and executed if the victim clicked on the text box, which only served to conceal the malicious buttons.
In some examples, a series of batch files would run, downloading other similar files and executing PowerShell code, ultimately leading to the installation of malware and essentially bypassing the blocking of VBA macros.
An example highlighted by Fortinet in March 2023 saw such an attack lead to the dropping of the AsyncRAT which was able to assume total control of a victim’s machine.
In the same month, Microsoft implemented enhanced security measures for OneNote, including more frequent and explicit warnings when opening potentially malicious files.
Weeks later, it also announced it would block 120 file extensions often used in malicious campaigns by default as an additional stand against phishing using its productivity software.
Now, fresh concerns have been raised around the introduction of the new top-level domains (TLDs).
Cyber security experts have previously criticized the new additions, including the ones such as .zip, as these could be harnessed in campaigns, potentially making malicious links appear more legitimate than they really are.
ESET’s researchers told ITPro that while the current data doesn’t show a significant increase in attacks leveraging the new TLDs, they “understand the concern”.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.