Log4j flaw: The threat isn't over yet

An early analysis of Log4Shell suggests quick action by tech vendors and open-source software developers averted a crisis. But the bug will lurk in systems for years to come.
Written by Liam Tung, Contributing Writer

Log4Shell affected hundreds of millions of devices and was cast as a critical tech emergency that would almost certainly be exploited attackers around the globe. 

But a month after the Apache Software Foundation disclosed Log4Shell in its Log4J library on December 9, the US Cybersecurity and Infrastructure Security Agency (CISA) said it hasn't seen any major breach arise from the attack, with the exception of an attack on the Belgian Defense Ministry. 

The reason for the initial concern was that the Java-based application error logging component was embedded in so many in-house enterprise applications and hundreds of products from VMWare, Oracle, IBM, Cisco and others.

SEE: A winning strategy for cybersecurity (ZDNet special report)

Despite this, exploits using the vulnerability have been limited. For example, security firm Rapid7 saw a surge in exploit attempts against VMWare's Horizon servers and Microsoft also observed a China-based double extortion ransomware gang NightSky targeting vulnerable instances of Horizon.  

Despite the absence of immediate mass exploitation, Sophos security's Chester Wisniewski backs the view that it will be a target for exploitation for years to come. 

Microsoft continues to rate the Log4j vulnerabilities as a "high-risk situation" for companies across the globe and reckons there is high potential for their expanded use. But for now, Wisniewski believes an immediate crisis has been swerved.   

"[T]he immediate threat of attackers mass exploiting Log4Shell was averted because the severity of the bug united the digital and security communities and galvanised people into action. This was seen back in 2000 with the Y2K bug and it seems to have made a significant difference here," says Wisniewski.

Sophos detected a huge surge in internet-scanning activity in mid-December – conducted by researchers or threat actors – that petered out by the end of January, when most exploitation was by crypto coin-mining malware. 

While Log4Shell is easy to exploit on some systems, Log4J is embedded in many applications, making actual exploitation more challenging. 

"Another factor to consider when evaluating the scanning numbers is that a Log4Shell type of flaw is exploited differently based on which application the Log4J code is in and how it has been integrated with that application. This results in a high volume of redundant scans trying different ways to exploit different applications," says Wisniewski. 

CISA warned, however, that attackers might be waiting to use access gained through Log4Shell until alert levels fall. That is, attackers could lay dormant within a network, waiting to deploy malware months later. Wisniewski supports CISA's cautionary stance.

"Sophos has observed countries such as Iran and North Korea pounce on VPN vulnerabilities to gain access to targets' networks and install backdoors before the targets have had a chance to deploy the patches, and then waiting months before using that access in an attack," he says. 

As for the duration of Log4Shell, Wisniewski reckons internet-facing applications will be found and patched or taken offline. But that still leaves a ton of internally vulnerable systems that might never be discovered, hence Log4Shell will live on for years as a favorite target for penetration testers and state-backed threat actors. 

Though not the first major open-source software to rattle the internet, it did prompt talks in January between major tech players and the White House aimed at figuring out how to respond to and avert the next major open-source bug, in particular the transparency of the software supply chain.   

Editorial standards