Log4j vulnerabilities continue to pose a complex and high-risk situation for companies globally, according to Microsoft.

The Microsoft 365 Defender Threat Intelligence Team has updated its guidance for preventing, detecting and hunting for exploitation of log4j vulnerabilities.

Last month, researchers discovered a zero-day exploit in log4j, the the popular Java logging library. It results in remote code execution (RCE) by logging a certain string. Since then, additional vectors have been discovered.

Exploitation attempts and testing remained high during the last weeks of December, the Microsoft team said.

“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” it said.

Organizations may not realize attackers have already compromised their environments. Customers should do additional device reviews where vulnerable installations are discovered.

At this point, customers should assume broad availability of exploit code and scanning capabilities are a real and present danger to their environments.

FTC Issues Warning

In addition, the Federal Trade Commission (FTC) has issued a warning to U.S. companies saying it will go after any company that fails to protect its customers’ data against ongoing log4j attacks.

The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of log4j vulnerabilities, or similar known vulnerabilities in the future.

“It is critical that companies and their vendors relying on log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,” it said.

The McAfee Enterprise and FireEye Advanced Threat Research team said with the full scale of the log4j vulnerabilities’ impact still unknown, opportunities for threat actors are endless.

Log4Shell Spares No One

Steve Povolny is head of advanced threat research and principal engineer at McAfee Enterprise.

McAfee’s Steve Povolny

“Log4Shell has truly redefined what we think of as an attack surface, sparing neither Fortune 50 companies nor mom-and-pop shops around the world,” he said. “As log4j is one of, if not the most popular logging applications used by developers, the reach of the vulnerability simply can’t be overstated. Organizations in every industry vertical have been affected, from financial to medical, telecom to aerospace, industrial controls to consumer devices, and many more critical industries have been subjected to attacks on this simple-to-exploit flaw.”

The good news is this vulnerability gained global attention and discussion within hours of public acknowledgement, Povolny said. It has received more attention and awareness than “any bug I’ve seen in at least the last five years.”

“The focus has been on patching, which is of course highly relevant, and should be table stakes,” he said. “What’s being discussed less is the forensics exercises and remediation that may be going on with now-patched systems for months to come. Organizations need to understand that even if they have secured their infrastructure from exploitation against the log4shell vulnerability, it is highly possible and perhaps likely that many of these components were silently breached, and effectively hidden.”

The only way to remediate this is via extensive monitoring, assessment, scanning and forensics, Povolny said.

“The scope of this effort can be massive and will probably play out for months or years to come,” he said.

Slow Response ‘Unacceptable’

Many large organizations deployed patches rapidly, Povolny said. However, others reacted slower.

“This is truly unacceptable,” he said. “While we can’t plan on the timing of critical vulnerabilities like this, there is a regular cadence of these industry-changing bugs on at least an annual basis. Organizations of all types and sizes must leverage this opportunity to plan better for the next major flaw, so they can react within hours instead of days or weeks.”

Ray Kelly is fellow at NTT Application Security.

WhiteHat Security’s Ray Kelly

“The importance of detection cannot be overstated as it is not always obvious which software is utilizing a vulnerable version of the log4j library,” he said. “Microsoft has laid out several methods for detecting active exploit attempts utilizing log4j; however, identifying the vulnerable version before an attack would be ideal. This will be a continuing battle for both consumers and vendors going forward into 2022 in what will need to be a two-pronged approach. Security vendors have been quick on the response for consumers by adding log4j rules that enable dynamic application security testing (DAST) scanners to detect if a website can be exploited with a malicious log4j web request against a company’s web server. At the same time, vendors must ensure that they are not shipping software with the vulnerable version using tools such as software composition analysis (SCA).

‘Extremely Long Tail’

Jake Williams is co-founder and CTO at BreachQuest.

BreachQuest’s Jake Williams

“As Microsoft notes, this vulnerability will have an extremely long tail for exploitation considering that many organizations do not even realize they are running vulnerable software,” he said. “Unfortunately, and nobody wants to hear this, there’s nothing left to say about remediating log4j that hasn’t already been said hundreds of times. Any organization asking today what they need to do regarding log4j almost certainly has an incident on their hands. Being exploited through an internet-facing system running vulnerable log4j at this point is a leadership failure, not a technical one.”