Log4j: The Aftermath and Lessons Learned

A Look Back

The Log4Shell vulnerability, discovered on the log4j logging library in December 2021 (cisa.gov), had a major impact on the cybersecurity industry. Log4j is a Java-based logging library that was developed by Ceki Gülcü and later transferred to the Apache Software Foundation. It is commonly used in many Java applications for optional level-based logging.

The library, maintained by Apache, is widely used by Java applications, and was found to be vulnerable to arbitrary code execution by attackers – potentially leading to system compromise and sensitive information theft. The vulnerability’s ubiquity made it difficult to identify, and was more dangerous than most threats, with Apache Log4j 2.x being one of the top downloads out of 7.1 million samples. Researchers identified hundreds of vulnerable projects, with over 100 million instances of software and technology affected. In an observation pool of 105,497 services running a target for the log4j vulnerability, 102,060 were found to be vulnerable to attack.

The Aftermath: Not as Catastrophic as Once Feared

In the aftermath of the vulnerability’s disclosure, the cybersecurity community focused on mitigating the potential damage. However, some malicious actors sought to spread the vulnerability on dark web forums. Despite initial concerns about the wide-spread impact of the vulnerability, the public results were not as catastrophic as feared. It is still actively exploited, but the impact level is considered low compared to initial expectations.

The Cyber Safety Review Board (CSRB) released a report on the Log4Shell vulnerability in July 2022, assessing it as an “endemic vulnerability” that will remain in systems for many years. Data from Sonatype’s dashboard shows that as of January 2023, 26% of log4j library downloads, more than 50,000, were vulnerable versions of the library.

Lessons Learned: The Importance of Ongoing Monitoring and Risk Assessment

The Critical Start Cyber Threat Intelligence (CTI) team has identified twelve Advanced Persistent Threat (APT) groups who have leveraged the Log4Shell vulnerability in their attacks, including: CHRYSENE, TA505, Lazarus Group, DarkHotel, Axiom, TA413, BRONZE STARLIGHT, ELECTRUM, MuddyWater, EMISSARY PANDA, TeamTNT, and Kinsing.

So, what do we know going forward, and how can your organization best protect itself?

1. The ubiquitous nature of open-source code is a wonderful thing for information sharing and the general advancement of knowledge, but that same ubiquity paired with widespread use of certain software libraries can make vulnerabilities harder to identify and more dangerous when they are discovered.
2. The impact of a vulnerability may not be immediately clear and can change over time. When initially discovered, Log4j was expected to have a catastrophic impact due to the prevalence of the Log4j logging library and its ease of exploitation. However, the public results were not as disastrous as initially feared, due to several factors, including the effectiveness of patches and updates, the ability of organizations to mitigate the vulnerability, and the delayed actions of malicious actors. It’s also important to note that even though the impact was not as high as expected, it was still actively exploited and had a significant impact on many organizations.
3. The cybersecurity community needs to take a proactive approach to mitigating the potential damage of a vulnerability, including patching and updating systems in a timely manner. This can help to prevent or limit the potential impact of a vulnerability. Additionally, organizations should have incident response plans in place to quickly and effectively respond to a vulnerability or attack.

In the case of Log4Shell, the cybersecurity community focused on mitigating the potential damage caused by the vulnerability after it was discovered. This included identifying and patching vulnerable systems, as well as educating organizations and individuals about the vulnerability and how to protect themselves. However, it’s also important to have a process in place to monitor and detect new vulnerabilities, and to have a plan to respond to them.

• Vulnerabilities can persist in systems for a long time and can continue to be exploited by malicious actors. This is exemplified by the Log4Shell vulnerability, which was assessed by the Cyber Safety Review Board (CSRB) as an “endemic vulnerability” that will remain in systems for many years. This means that even after a vulnerability has been discovered and patches have been released, it may still be present in systems and can be exploited by attackers.

The persistence of vulnerabilities in systems highlights the importance of ongoing monitoring and risk assessment. It’s also important to mention that it’s not only software vulnerabilities that can persist in systems, but also misconfigurations and weak security controls that could be exploited by attackers. Therefore, organizations should have a continuous process of security control assessment and risk management.

• The use of widely used libraries highlights the importance of secure coding practices and the need for ongoing monitoring and risk assessment. This is because vulnerabilities in widely used libraries can have a major impact on many organizations and individuals, and it can make it harder for organizations to identify and patch vulnerabilities. To mitigate these risks, organizations should prioritize secure coding practices and ensure that developers are aware of common vulnerabilities and how to avoid them. It’s also essential to have a process in place to monitor for and patch vulnerabilities in the libraries they use, and to detect and respond to any attempted exploitation of vulnerabilities.

The Log4Shell vulnerability serves as a reminder of the importance of timely patching and updating systems, as well as the need for ongoing monitoring and risk assessment. It also highlights the danger of relying on widely used libraries and the need for secure coding practices.

Our CTI team helps organizations stay one step ahead of emerging threats, and make decisions based on timely, relevant data as a part of Critical Start’s MDR services. Contact an expert today to learn more about our Cyber Research Unit (CRU) and how we can help you simplify breach prevention and stop business disruptions.