Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning notifying organizations that malicious threat actors are continuing to exploit the zero-day Log4Shell vulnerability in VMware Horizon and Unified Access Gateway (UAG) to obtain initial access to target systems without the necessary patches.
In the report, CISA recommends all organizations with affected systems that haven’t deployed patches “assume compromise and initiate threat hunting activities.”
Above all, the notice highlights that enterprises who haven’t patched Log4Shell are still at risk, and at the very least, need to deploy available patches to their systems, if not take steps to remediate an intrusion.
A look at the history of Log4Shell
Alibaba’s cloud security team first discovered and reported the Log4Shell vulnerability to Apache on November 24, 2021.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
The researchers initially noticed attackers using an exploit in Apache Log4j 2, an open-source library that logs errors and events within Java applications, to remotely execute malicious code to servers and clients running Minecraft.
While Apache patched the vulnerability on December 9, 2021, Log4Shell had already gained a reputation as a serious zero-day vulnerability, that commentators warned would “wreak havoc across the internet for years to come,” with an estimated 3 billion exploitable devices.
As publicity grew over the vulnerability, threat actors began to direct attacks at enterprises across the world, with Microsoft finding an uptick in techniques including mass-scanning, coin mining, establishing remote shells, and red-team activity.
Since then, the exploit has decreased confidence in third-party cloud software to the point where 95% of IT leaders report that Log4Shell was a major wake-up call for cloud security. And additionally, 87% reporting they feel less confident about their cloud security now than they did prior to the incident.
Many affected software packages are still unpatched
While it’s been months since Log4Shell was first discovered and many organizations have deployed the necessary vulnerabilities to protect their systems, most haven’t. In fact, in April this year, a Rezilion report found that almost 60% of the affected Log4Shell software packages remain unpatched.
CISA’s recent warning highlights that failure to patch these systems could be a costly oversight, given that threat actors are still actively looking for unpatched systems to exploit.
The only way to minimize these zero-day threats is for enterprises to implement an organized patching plan, to ensure that any internet-facing servers are patched and protected.
“Patching is a critical part of any organization’s security plan, and devices connected to the internet while unpatched — especially against a well-known and exploited vulnerability — creates a serious risk for the organizations and their customers,” said Erich Kron, security awareness advocate with KnowBe4. “While patching can be a challenge and can even pose a real risk of an outage if there are problems, any organizations that have internet-facing devices should have a system in place, and testing to reduce the risk significantly.”
The security implications of failing to patch log4j
At this stage in the vulnerability’s lifecycle, failure to patch exposed systems is a serious mistake that indicates an organization has significant gaps in its existing security strategy.
“Patches for Log4j versions that are vulnerable to Log4Shell have been available since December. This includes patches for VMware products,” said Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center. “Unfortunately, organizations that have yet to patch Log4j or VMware Horizon lacks a robust patch management strategy, be that a commercial or open-source strategy, or have instances of shadow deployments.”
Mackey also highlighted that while using media outreach to encourage organizations to patch new vulnerabilities can be effective, it isn’t a substitute for proactively monitoring for exploits.
A look at the solutions
While keeping vulnerabilities patched is easier said than done in complex modern network environments, there are a growing number of patch management solutions that organizations can use to push patches to multiple devices remotely and efficiently.
Many organizations are already using patch management solutions to keep their devices updated, with researchers anticipating that the global patch management market will grow from a value of $652 million in 2022, to reach a valuation of $1084 million by 2027.
For addressing the Log4Shell vulnerability at a more granular level, enterprises can leverage vulnerability scanning tools like PortSwigger BurpSuite Pro, Nmap, and TrendMicro’s Log4J Vulnerability Tester to identify exposed files so they can take action to remediate them.
It’s also worth noting that prominent tech vendors like Microsoft and Google have deployed their own proprietary solutions to help enterprises identify and mitigate Log4j.
Microsoft expanded Microsoft Defender so that it can scan devices for vulnerability Log4j files. Google Cloud offers Cloud Logging to allow enterprises to query logs for attempts to exploit Log4j 2 and issues alerts to notify them when exploit messages are written to logs.
By combining patch management solutions with proactive vulnerability scanning, organizations can consistently identify compromised infrastructure and exploits like Log4j before an attacker has a chance to exploit them.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.