Log4Shell: New numbers reveal the scale of the critical software exploit

Abstract image of stacked broken egg shells

The scale of the threat associated with the recently discovered Log4Shell vulnerability has been quantified for the first time, with nearly 1 million attack attempts launched in just 72 hours following the critical vulnerability's disclosure on 9 December.

Experts from Check Point Research published observations from early vulnerability scans on Tuesday, which revealed attempts to exploit systems vulnerable to Log4Shell increased from 40,000 in the immediate 12-hour period following disclosure, to 830,000 attempts after just three days.

Researchers said the vulnerability "is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable". The security community is still scrambling to fully understand the attack surface for Log4Shell, the RCE vulnerability in the log4j Java logging component revealed last week.

"The number of combinations of how to exploit it give the attacker many alternatives to bypass newly introduced protections," researchers said. "It means that one layer of protection is not enough, and only multi-layered security posture would provide a resilient protection. Three days after the outbreak, we are summing up what we see until now, which is clearly a cyber pandemic that hasn’t seen its peak yet."

A graph indicating the rise in exploitation attempts of Log4Shell

(Image credit: Check Point Research)

The industry has banded together to share quick fixes and easy ways to remediate issues in the enterprise, but research has shown attackers are finding new ways to exploit the vulnerability.

Check Point Research said it has seen a steady increase in exploit evolutions over the course of 72 hours since Log4Shell's discovery, with more than 60 different methods already in use.

Findings from their investigation are said to resemble a cyber pandemic, in which attacks spread quickly and evolve continually to break through attempted fixes.

A graph depicting the swift evolution of exploitation of Log4Shell

(Image credit: Check Point Research)

Who is most vulnerable to Log4Shell?

The investigation also looked at corporate exposure to Log4Shell and concluded that a global average of 40% of all networks across the world could be vulnerable to log4j flaws.

Australia and New Zealand were found to be the most exposed at 46.2% of all corporate networks, with Europe close behind with 42.2%. Asia and North America are the least exposed at 37.7% and 36.4% respectively.

Value-added resellers and the education sectors were found to be particularly vulnerable compared to other industries, with around half of all organisations across the two sectors thought to be affected.

Unlike with the COVID-19 pandemic, the retail and hospitality sectors are thought to be the least affected, with around a quarter of organisations exposed to log4j-based attacks.


Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools


There is significant pressure felt by security teams across the globe to fully patch the vulnerability. Upgrading to the latest version of the log4j library, version 2.15.0, is so far the best mitigation against the flaw.

Also this week, the US' Cybersecurity and Infrastructure Security Agency (CISA) told all federal agencies they had until 24 December to patch systems and protect them from Log4Shell.

It follows a recent increase in focus on patch management across the US public sector, led by CISA, after the agency issued deadlines to all federal departments in November to patch a 300-strong list of major cyber security vulnerabilities. The first deadline passed weeks later but CISA declined to confirm to IT Pro if all federal agencies had met the requirements in time.

Check Point Research said it thinks the vulnerability in the log4j library "will stay with us for years to come" due to the complexity in patching it and the ease in which attackers can exploit it.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.