One year after Log4Shell, most firms are still exposed to attack
The Log4j vulnerability continues to present a major threat to enterprise organizations one year after the Apache Software Foundation disclosed it last November — even though the number of publicly disclosed attacks targeting the flaw itself has been less than many might have initially expected.
A high percentage of systems still remain unpatched against the flaw, and organizations face challenges in finding and remediating the issue and then preventing the flaw from being reintroduced into the environment, security researchers say.
“The fact that Log4j is used in [nearly] 64% of Java applications and only 50% of those have updated to a fully fixed version means attackers will continue to target it,” says David Lindner, CISO at Contrast Security. “At least for now, attackers continue to have a field day in finding paths to exploit through Log4j.”
Multiple Attacks But Fewer Than Expected
The Log4j flaw (CVE-2021-44228), commonly referred to as Log4Shell, exists in Log4j’s Java Naming and Directory Interface (JNDI) function for data storage and retrieval. It gives remote attackers a trivially easy way to take control of vulnerable systems — a problem given that Log4J is used in virtually every Java application environment. Security researchers consider it as one of the most significant vulnerabilities in recent years because of its prevalence and the relative ease with which attackers can exploit it.
Over the past year, there have been numerous reports about threat actors targeting the flaw as a way to gain initial access into a target network. Many of these attacks have involved nation-state-backed advanced persistent threat (APT) groups from China, North Korea, Iran, and other countries. In November, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about an Iran-government-backed APT group exploiting the Log4j vulnerability in an unpatched VMware Horizon server to deploy cryptomining software and credential harvesters on a federal network.
The warning was similar to one from Fortinet in March about Chinese threat actor Deep Panda using the identical vector to deploy a backdoor on target systems and another from Ahn Labs about North Korea’s Lazarus Group distributing its own backdoor the same way. Others such as Microsoft have also reported observing state actors such as Iran’s Phosphorous group and China’s Hafnium threat actor using Log4 to drop reverse shells on infected systems.
Despite such reports — and several others about financially motivated cybercrime groups targeting Log4j — the actual number of publicly reported compromises involving Log4 has remained comparatively low, especially when compared to incidents involving Exchange Server vulnerabilities like ProxyLogon and ProxyShell. Bob Huber, chief security officer at Tenable, says the scale and scope of reported attacks have been surprisingly lower than expected, considering the simplicity of the vulnerability and the attack path. “Only recently have we seen some significant evidence of targeting, as noted by recent nation state activity from CISA,” Huber says.
Undiminished Threat
However, that does not mean the threat from Log4j has diminished over the past year, security researchers note.
For one thing, a large percentage of organizations remain as vulnerable to the threat as they were a year ago. An analysis of telemetry related to the bug that Tenable recently conducted showed 72% of organizations were vulnerable to Log4j, as of Oct. 1. Tenable found that 28% of organizations globally have fully remediated against the bug. But Tenable found that organizations which had remediated their systems often encountered Log4j again and again as they added new assets to their environments.
To read the complete article, visit Dark Reading.