Due to the sheer amount of places it is present and the simplicity with which it is exploited, the Log4j vulnerability poses a threat to most of the Java-using world. A new alert from the Cybersecurity and Infrastructure Security Agency (CISA) indicates that experts see it as a long-term threat to United States critical infrastructure.
The report stresses that “significant” Log4j breaches have not yet been found in the networks of federal agencies or critical infrastructure companies, but that it is not yet possible to assess whether the vulnerability is present across all of these disparate systems. Though a patch for the vulnerability was issued very quickly after its public discovery, the problem is difficult to remedy due to the need to track down every instance of the software (which is present in many open source libraries) and manually update each one.
Log4j will continue to nag government organizations for years, report projects
The report says that Log4j breaches have not yet been seen at federal agencies, but some “low level” incidents have occurred at private critical infrastructure companies. These incidents are considered less serious as the devices that were compromised were used as additions to botnets or for crypto mining rather than for attacks on utilities or public services.
Cyber criminals and threat actors are certainly scanning far and wide for Log4j, however, and CISA Executive Director Eric Goldstein believes that the more advanced hacking groups have already compromised their targets and are waiting for IT departments to relax their defenses before they execute significant and sophisticated campaigns. CISA notes similarities to the 2017 vulnerability found in Apache Struts, which advanced attackers waited months to exploit after it was made public.
The report also says that there is no significant activity from ransomware groups in terms of targeting Log4j in government and critical infrastructure systems, though this could be another case of the most dangerous threat actors laying low and waiting for the most opportune moment to strike. CISA also believes that some organizations may have already been quietly compromised via Log4j, and the attackers are exfiltrating data and ramping up for future campaigns without leaving any trace of their presence.
Thus far, Log4j has not been nearly as damaging as it was projected to be when it first appeared in November, not just for US government agencies but for organizations globally. It is believed to have been used in a breach of the Belgian Defense Ministry in December, but otherwise there have been extremely few major incidents or even known examples of it being used to deliver ransomware. Advanced persistent threat actors known to be backed by nation-states have been observed scanning for it, but have yet to make use of it in a way that anyone is aware of.
Goldstein said that the remediation period for Log4j across these systems will be “long” as in addition to the sheer amount of instances out in the wild, each vendor that makes use of it will have to prepare their own unique patch that updates the software without breaking anything else. CISA will be focusing on public-facing systems and assets before it takes on internal networks. The issue may not be fully remediated across all systems for years.
Pravin Madhani, CEO and Co-Founder of K2 Cyber Security, elaborates on the difficulties: “The challenge with the Log4j flaw is that new variants of the original Log4j vulnerability are being discovered and each one of them requires a new patch. Also, organizations may not be able to take down all the servers at once for patching. Ideally, organizations should consider an application runtime security solution which eliminates the urgent need for patching against new vulnerabilities like Log4j, and gives organizations time to methodically schedule patches.”
One particular issue that the government is struggling with is a preponderance of outdated “end of life” systems that vendors long ago stopped providing support for. Vendors will sometimes return to a “dead” product to create a patch for very serious vulnerabilities such as this one, but they are not legally obligated to in any way.
CISA calls for expanded mandatory reporting for critical infrastructure
The Biden administration has recently strengthened cyber security incident reporting requirements for certain segments of the critical infrastructure field, but CISA would like to see it go even further.
CISA Director Jen Easterly is calling for all companies involved in critical infrastructure to be required to report incidents to CISA and federal law enforcement within a short window. The administration’s previous requirements have set time limits at 24 to 72 hours for serious incidents such as ransomware attacks.
It is somewhat surprising that there have not been more Log4j incidents given that it is a relatively easy attack to exploit, only requiring that a specific snippet of code be received by some element of a system that will cause the text to be logged (which could be as simple as sending an email or text chat message). The attack is well worth the minimal effort as it can lead to complete access to a target system.
CISA has not yet mandated federal contractors to patch the vulnerability, but did require federal agencies to do so by December 23 and also to compile and turn over a list of potentially vulnerable applications (and their vendors) by December 28.
In the meantime, John Bambenek, Principal Threat Hunter at Netenrich, does not see this alert leading to any increased sense of urgency among critical infrastructure firms: “Advisories like this do little to help defenders actually protect themselves. I read this and don’t have any more insight into detecting and preventing these attacks than before. It’s 2022, these agencies hopefully can reach directly out to organizations with more specific guidance because public announcements aren’t helpful and there are reasons not to be too specific in them as well.”