Sergey Nivens - stock.adobe.com
Almost half of Log4j downloads still dangerously exposed
Whether by error or design is unclear, but a great many IT teams are still exposing themselves by downloading outdated, insecure versions of Apache Log4j
A month after the disclosure of CVE-2021-44228, aka Log4Shell, a critical vulnerability in the Apache Log4j Java package, up to 40% of new downloads are still at risk of compromise despite the availability of safe versions, posing a threat to the entire fabric of the internet.
Data collated by Sonatype, a specialist in supply chain automation, reveals that Log4j – a crucial component of literally thousands of tools, from consumer products to enterprise software and web applications – has been downloaded more than 10,350,000 times since Log4Shell was disclosed, and that over 40% of those downloads were of vulnerable versions.
In the UK alone, said Sonatype, 44.7% of 121,483 Log4j downloads on an unspecified day within the past week were vulnerable, and the previous day, 43% of 208,259 downloads were at risk.
“The fact that we are still facing such high percentages of vulnerable downloads is indicative of a much bigger problem with supply chain security,” said Sonatype field chief technology officer Ilkka Turunen.
“If companies don’t understand what’s in their software, they’re unable to act with the requisite speed when threats arise – and in this instance, given the huge popularity of Log4j, this exposes them to significant risk.
“Fortunately, there are safe versions of the component available, so for those companies which have acted quickly, their risk has been significantly reduced,” he said. “However, this needs to serve as an urgent wake-up call that businesses must understand what’s in their software, where dependencies lie, and not leverage vulnerable components when safe ones are available.”
Although the scale of insecure components being used remains unacceptably high, there are some signs that IT teams are responding better at this point: since 5 January, Sonatype said it had seen a 40% adoption rate in the number of the most recent, secured Log4j versions – 2.17 and 2.17.1 – being downloaded.
Recent Log4Shell developments
- In a blog post about the critical Log4Shell vulnerability, the FTC mentioned 2017’s Equifax breach and the legal consequences that followed.
- The Log4j 2.17.0 update is the third of its kind since Log4Shell was disclosed and the mass exploitation began. Versions 2.15.0 and 2.16.0 patched remote code execution bugs.
- This Risk & Repeat podcast episode looks at the latest developments with Log4Shell and the efforts to mitigate the critical remote code execution vulnerability.
With US CISA directors yesterday saying that although no large-scale cyber attacks through Log4Shell have yet been uncovered, they expect the vulnerability to remain in use “well into the future”, CVE-2021-44228 remains a live issue for defenders, with much attention focused on the possibility of its use in ransomware attacks, understandable given the high profile such incidents have gained in the past 18 months.
A great number of security firms have been actively scanning for vulnerable Log4j instances and for ransomware operators taking advantage of them – although as per CISA no major attacks have yet been detected, suggesting ransomware crews may be biding their time for now.
Of particular concern in the past few days is a strain dubbed NightSky, which now appears to be spreading among VMware Horizon users running products vulnerable to Log4Shell. This comes after a warning last week from NHS cyber experts that an unspecified threat group was targeting VMware Horizon servers to establish persistence on target networks, injecting malicious web shells that could then be used to carry out further malicious activities.
Microsoft said a threat group likely based in China and tracked as DEV-0401 was likely deploying NightSky through Log4Shell, beginning on or around Tuesday 4 January 2022. This group has previously used other ransomwares including LockFile, AtomSilo and Rock deployed through various publicly disclosed vulnerabilities, and appears to favour using command and control infrastructure that spoofs legitimate security company domains, including big guns such as Sophos and Trend Micro.
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” Microsoft’s cyber team wrote in an update posted on Monday 10 January.
“Organisations may not realise their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” it said.