Major government attack highlights how Log4j is still unresolved

March 11, 2022 By Luke Mcbride

5 minute read time

News of a major exploit using the Log4j vulnerability four months after its disclosure has been a painful reminder that the issue is still a serious problem. Reports are now linking China's APT41 hacking group with breaching at least 6 U.S. state government networks and the situation may go from bad to worse. As reported by Venturebeat:

"… in all likelihood, the full extent of the damage will still be unknown for some time. For instance, attackers may be waiting for an opportune time to use the access they gained through breaching systems using Log4Shell."

As Sonatype CTO Brian Fox explained,

"These events track with the typical time lapse we've seen with zero-day vulnerabilities like Log4Shell. The Equifax breach, which was similar in nature, took around five months to clear the airwaves from the initial exploit. So, from a historical perspective this isn't surprising: a high-spread, low-complexity vulnerability equals a 100 percent chance of being used."

There are other published examples of successful Log4j exploits, including Fintech ransomware, the Belgium defense ministry, and a Dridex banking Trojan. However, no issue so far has risen to this level of potential harm.

How did we get here?

It was only a day after the initial announcement that the CVE-2021-44228 exploit was published. Federal employees were asked to work over the holiday to help resolve issues that could affect infrastructure and national security. In January, U.S. officials were warning about long term fallout from Log4j and the FTC issued a warning to companies who did not remediate this issue.

The Biden White House even addressed issues for both public and private entities.

Timeline of major Log4j eventsLog4j event timeline

With all the press and attention given, there remained hope there wouldn't be a significant intrusion, but the ease of attack and widespread use of the open source component made that seem unlikely.

Definitely not over

Advice from Brian Fox:

Brian Fox headshot

"The reason this is still a problem is that so many companies have not covered the basics, and simply don’t understand what’s in their software. Our data shows that nearly 40% of Log4Shell downloads are still of vulnerable versions. Meaning there’s a high chance that other state and national governments — not just in the U.S. — will be breached in the coming months by bad actors.”

"What I advise now is what I've advocated for a long time: urge your software vendors to create and continuously update a software bill of materials (SBOMs) and invest in a tool that includes software composition analysis (SCA). To be really responsive, you need a tool that's telling you about a new vulnerability along with all the places that are affected. SCA tools provide insights about the components in a project and determines the potential risk.

These tools should be automated to monitor components across the entire software development life cycle (SDLC)."

Take action

All of this can help you avoid headaches, FTC lawsuits, customer data loss, and bad publicity.

More information

 

Tags: vulnerabilities, government, News and Views, Log4j

Written by Luke Mcbride

Luke is a writer at Sonatype covering everything from open source licenses and liability to DevSecOps trends and container security.