Log4j Vulnerability Remains Headache for Cybersecurity Pros, Likely Exploited in Ukraine Attacks

A new Neustar International Security Council (NISC) survey shows the Log4j vulnerability continues to plague security professionals globally. Moreover, threat actors could exploit Log4j in attacks against Ukraine.

Three out of five organizations have fielded Log4j attacks. Log4Shell is a zero-day exploit in the popular Java logging library log4j. It results in remote code execution (RCE) by logging a certain string.

Researchers discovered Log4j vulnerability in early December. Log4J led to an explosion of attacks.

Carlos Morales is senior vice president of solutions at Neustar Security Services.

Neustar’s Carlos Morales

“In general, there is ample evidence of increased cyber activity towards Ukraine-based companies,” he said. “So it is of great importance for those companies to ensure they are preventing access to any known vulnerabilities like Log4j that could be exploited. The risk of having the vulnerability exploited is much higher under the circumstances.”

Personally Impacted by Log4j Vulnerability

Among the NISC survey findings:

• Log4j has personally impacted three-quarters of respondents. In addition, one in five said the impact had been significant.
• Nearly half said Log4j has made them reevaluate software supply chain security practices and purchasing decisions.
• A substantial majority said regulatory bodies like the Federal Trade Commission (FTC) should take legal action against organizations that fail to patch for Log4j.

For companies that have deployed web application firewall (WAF) technology or contract WAF functions from their cloud security providers, there may be a simple solution for handling zero-day threats like Log4j. That’s virtual patching.

Virtual patching tricks any potential attackers into thinking that applications aren’t vulnerable to a threat, Morales said.

“The WAF terminates the connection with the client, ensures that the client is not performing any malicious actions, and then creates a separate connection to the server, bridging data between the two,” he said. “Since it is terminating the client traffic, the WAF can act on behalf of the origin server and cover up for any vulnerabilities that exist on the server.”

Still At It 2 Months Later

Hackers pounced on Log4Shell vulnerabilities in December, and hackers are still at it two months later, according to new Barracuda research.

Since Dec. 10, Barracuda researchers have analyzed the Log4j software attacks and payloads detected by its systems. The volume of attacks attempting to exploit these vulnerabilities has remained relatively constant with a few dips and spikes over the past two months.

Given the popularity of the software, the exploitability of the vulnerability and the payoff when a compromise happens, Barracuda researchers expect this attack pattern to continue, at least for the short-term.

Among Barracuda research findings:

• The majority of attacks came from IP addresses in the United States. Half of those IP addresses are associated with Amazon Web Services (AWS), Azure and other data centers.
• Threat actors are sending attacks from Japan, Germany, Netherlands and Russia.

Tushar Richabadas is Barracuda’s senior product manager of application and cloud security. He said cybercriminals likely have had some success with Log4Shell.

Barracuda’s Tushar Richabadas

“We’re seeing a lot of scans, and a lot of attacks, but not many high-profile breaches,” he said. “A large portion of the exploit attempts are cryptominers. There were also distributed denial-of-service (DDoS) bots like Mirai and such. We’re slowly hearing about more significant attackers like the … Conti group using this vulnerability. So we’ll likely see bigger breaches happening over time.”

Long Tail for Log4j Attacks

There is probably going to be a long tail for these attacks and scams, Richabadas said. Therefore, patching is going to remain critical for a very long time.

ProxyLogon vulnerabilities were discovered in March of last year. However, Barracuda saw renewed interest from malware groups in November, he said.

“We’ll probably see something similar with Log4Shell as well,” Richabadas said. “A large number of organizations have patched or upgraded their vulnerable installations, and have also added layers of protection against such attacks. This is something that has stopped a large number of these attacks. In terms of stopping the threat actors themselves, the most effective has been the takedowns of the payload servers and callback servers.”