Fortinet: Log4j had nearly 50x activity volume of ProxyLogon

The Fortinet report also spotlighted an increasing number of attacks on Linux systems.
Written by Jonathan Greig, Contributor

Cybersecurity giant Fortinet found that Log4j had nearly 50 times the activity volume compared to ProxyLogon based on peak 10-day average volume in the second half of 2021. The finding was part of the company's FortiGuard Labs Global Threat Landscape Report released this week. 

The Fortinet report also spotlighted attacks on Linux systems, many of which come in the form of executable and linkable format (ELF) binaries.

"The rate of new Linux malware signatures in Q4 quadrupled that of Q1 2021 with ELF variant Muhstik, RedXOR malware, and even Log4j being examples of threats targeting Linux. The prevalence of ELF and other Linux malware detections doubled during 2021," the report explained. 

Also: Multiple vulnerabilities found in Snap-confine function on Linux systems

"This growth in variants and volume suggests that Linux malware is increasingly part of adversaries' arsenal."


Threat actors are also evolving their use of botnets beyond DDoS attacks. Instead of being "primarily monolithic," Fortinet said botnets "are now multipurpose attack vehicles leveraging a variety of more sophisticated attack techniques, including ransomware." 

"For example, threat actors, including operators of botnets like Mirai, integrated exploits for the Log4j vulnerability into their attack kits. Also, botnet activity was tracked associated with a new variant of the RedXOR malware, which targets Linux systems for data exfiltration. Detections of botnets delivering a variant of RedLine Stealer malware also surged in early October morphing to find new targets using a COVID-themed file," the report said. 

The report went into detail about how cyberattackers are maximizing attack vectors associated with remote work and learning. Fortinet saw an explosion in various forms of browser-based malware that appeared in the form of phishing lures as well as scripts that inject code or redirect users to malicious sites.

The researchers split the distribution mechanisms into three broad categories: Microsoft Office executables (MSExcel/, MSOffice/), PDF files, and browser scripts (HTML/, JS/).

"Such techniques continue to be a popular way for cybercriminals to exploit people's desire for the latest news about the pandemic, politics, sports, or other headlines, and to then find entryways back to corporate networks. With hybrid work and learning remaining a reality, there are fewer layers of protection between malware and would-be victims," Fortinet said. 

Fortinet said it continues to see a mix of new and old ransomware strains used in attacks when it comes to ransomware.

FortiGuard Labs said it "observed a consistent level of malicious activity involving multiple ransomware strains, including new versions of Phobos, Yanluowang and BlackMatter." 

Researchers with Fortinet noted that the Log4j vulnerabilities and others were one example of how quickly cybercriminals and nation-states move in exploiting widespread flaws. 

Derek Manky, chief of security insights and global threat alliances at FortiGuard Labs, said new and evolving attack techniques span the entire kill chain but especially in the weaponization phase, showing evolution to a more advanced persistent cybercrime strategy that is more destructive and unpredictable. 

Editorial standards