Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.
Thanks in large part to the massive response effort from the security community, there have been few cyber attacks of consequence leveraging the vulnerabilities in Apache Log4j so far, according to findings from cybersecurity giant Sophos.
On the whole, successful attacks using the Log4j flaws have been limited, said Chester Wisniewski, principal research scientist at Sophos, in a blog today.
Like other cyber vendors, the Sophos Managed Threat Response Team (MTR) has detected a large number of scans and attempts to use exploits for the remote code execution vulnerability, known as Log4Shell. But as of early January, “only a handful of MTR customers faced attempted intrusions where Log4j was determined to be the initial entry point,” Wisniewski wrote. Most of those intrusions were by cryptocurrency miners.
“The overall number of successful attacks to date remains lower than expected,” he wrote.
Still, the broad scope of the Log4Shell vulnerability, and the difficulty of finding all instances of it, suggest the bug “will likely be a target for exploitation for years to come,” Wisniewski wrote.
If unpatched, many enterprise applications and cloud services written in Java are potentially vulnerable to the flaws in Log4j. The open source logging library is believed to be used in some form — either directly or indirectly by leveraging a Java framework — by the majority of large organizations.
The initial Log4j vulnerability, revealed on December 9, could be used to enable remote execution of code by unauthenticated users.
However, “Sophos believes that the immediate threat of attackers mass exploiting Log4Shell was averted because the severity of the bug united the digital and security communities and galvanised people into action,” Wisniewski wrote. “This was seen back in 2000 with the Y2K bug and it seems to have made a significant difference here.”
Few major attacks using Log4j have been disclosed to date. On December 20, the defense ministry in Belgium disclosed that a portion of its network was shut down in the wake of a cyber attack. The attack had resulted from an exploitation of the vulnerability in Log4j, the defense ministry said.
Cyber firm Qualys previously told VentureBeat it has observed “attempted ransomware attacks, some of which have been successful – by Conti, Khonsari, and some nation-state-backed adversaries,” said Travis Smith, director of malware threat research at Qualys, in an email. Specifics of the attacks were not disclosed.
Other attacks that have been reported were disrupted midway through. For instance, on December 29, CrowdStrike said its threat hunters identified and disrupted an attack by a state-sponsored group based in China, which involved an exploit of the Log4j vulnerability. CrowdStrike said that threat hunters on its Falcon OverWatch team intervened to help protect a “large academic institution,” which wasn’t identified, from a hands-on-keyboard attack that appears to have used a modified Log4j exploit.
In addition to the widespread response from the security community, another potential reason that mass exploitation has been kept to a minimum “could be the need to customize the attack to each application that includes the vulnerable Apache Log4J code,” Wisniewski wrote.
Nonetheless, “just because we’ve steered round the immediate iceberg, that doesn’t mean we’re clear of the risk,” he said.
“Some of the initial attack scans may have resulted in attackers securing access to a vulnerable target, but not actually abusing that access to deliver malware, for instance – so the successful breach remains undetected,” Wisniewski wrote.
“Sophos believes that attempted exploitation of the Log4Shell vulnerability will likely continue for years and will become a favourite target for penetration testers and nation-state supported threat actors alike,” he wrote. “The urgency of identifying where it is used in applications and updating the software with the patch remains as critical as ever.”
Other cyber experts have previously made similar to comments to VentureBeat, saying that the worst of the attacks utilizing the Log4j flaws may actually be months — or even years — into the future.
“In many cases, attackers breach a company, gain access to networks and credentials, and leverage them to carry out huge attacks months and years later,” said Rob Gurzeev, cofounder and CEO of CyCognito, in a previous email to VentureBeat.
Once they’ve established a foothold, sophisticated attackers will often take their time in surveying users and security protocols before executing the full brunt of their attacks, said Hank Schless, senior manager for security solutions at Lookout.
This helps them strategize how to most effectively avoid existing security practices and tools, Schless said, “while simultaneously identifying what parts of the infrastructure would be most effective to encrypt for a ransomware attack.”
Ultimately, due to the widespread nature of the flaw, “the long tail on this vulnerability is going to be pretty long,” said Andrew Morris, the founder and CEO at GreyNoise Intelligence, in a previous interview. “It’s probably going to take a while for this to get completely cleaned up. And I think that it’s going to be a little bit before we start to understand the scale of impact from this.”