{"id":33313,"date":"2022-12-28T16:57:22","date_gmt":"2022-12-28T21:57:22","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=519762"},"modified":"2023-01-03T10:32:36","modified_gmt":"2023-01-03T15:32:36","slug":"log4j2-vulnerability-on-year-later-it-is-still-being-exploited","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/log4j2-vulnerability-on-year-later-it-is-still-being-exploited\/","title":{"rendered":"Log4j2 vulnerability on year later: \u2018It is still being exploited\u2019"},"content":{"rendered":"

This month marks the one-year anniversary of the discovery of the Log4j2 vulnerability<\/a>. Technically, it\u2019s a 2021 cybersecurity event. However IT and infosec leaders spent much of 2022 hunting for and patching applications using the buggy open-source logging library module.<\/p>\n

If they\u2019re smart, they\u2019ll keep doing it in 2023, says one expert.<\/p>\n

\u201cMany CISOs may still be thinking this is an exploit that is particular to a couple of vendors, and once they\u2019ve patched their current software, this problem has gone away,\u201d said Robert Falzon, head of engineering at Check Point Software Canada.<\/p>\n

\u201cThere are [IT] systems that kick in only once or twice a year, and those systems may be vulnerable and overlooked from a checking perspective.<\/p>\n

\u201cIt is still being exploited,\u201d he said, and will be \u201cfor some time to come.\u201d<\/p>\n

\u201cThis component still exists in thousands of pieces of software across the entire spectrum of enterprises, from big to small. And despite the fact that Microsoft may have patched their current servers and software \u2026 there are organizations that are running other applications that are not being updated because they are not a piece of code that Microsoft or Linux has access to upgrade.\u201d<\/p>\n

It can be hard for IT administrators to trace if you don\u2019t have the tools, he said. \u201cAttackers are targeting these in a much more effective way now, because they\u2019re mapping the environment of organizations that have this exposure,\u201d Falzon added.<\/p>\n

Briefly, Apache Log4j is a free, open-source Java-based logging framework that collects and manages information about system activity. In a July report, the U.S. government\u2019s Cyber Safety Review Board<\/a> said Java developers have embedded it into thousands of software packages and services.<\/p>\n

The problem in Log4j version 2 was introduced by the developers in 2013, and only discovered in November 2021. At that point, it was privately reported to Apache. However, before Apache could release a fix, it was publicly disclosed, triggering a race to find and patch the hole before it was exploited by threat actors.<\/p>\n

The race wasn\u2019t always won by the good guys. Check Point has seen nation-state threat actors exploiting the vulnerability. Cisco Systems\u2019 Talos threat intelligence service reported the Mirai botnet attempting to exploit it. The U.S. report said an unnamed cybersecurity company investigated multiple ransomware incidents that leveraged the Log4j vulnerability from January through to March. That U.S. report also mentions that a news story said hackers had exploited the vulnerability at the Belgian Defense Ministry.<\/p>\n

While threat actors were \u2014 and still are \u2014 trying to find vulnerable applications, many software developers haven\u2019t gotten the message. According to Sonatype\u2019s Log4j Vulnerabile Downloads Dashboard<\/a>, about 25 per cent of the Log4j downloads every day are vulnerable versions of the library.<\/p>\n

One good thing about the discovery it is that has increased the pressure on software developers to improve the quality of their code through rigorous processes, including creating a software bill of goods so purchasers will know what it comes with.<\/p>\n

It has also put a spotlight on three major problems: how easy it is for threat actors to plant malware in open-source repositories such as GitHub, NPM and PyPI under spoofed library names; the difficulties faced by individuals who try to maintain open-source code in their spare time; and the need for every IT department to have a complete inventory of all the applications employees are authorized to use for work.<\/p>\n

\u201cThe Log4j event highlighted fundamental adoption gaps in vulnerability response practices and overall cybersecurity hygiene,\u201d said the U.S. report. \u201cThese gaps highlighted challenges in raising awareness within organizations; coordinating trusted and authoritative sources of information; mitigating at scale; measuring the enormity of the risk; and synchronizing the understanding of threats and corresponding defensive action.\u201d<\/p>\n

In their recent 2022 Mass Exploitation report<\/a> [registration required], researchers at GreyNoise Intelligence noted that the U.S. Cybersecurity and Infrastructure Security Agency\u2019s GitHub database of software affected by the Log4j weakness<\/a> stopped receiving regular updates earlier this year. The last update showed either \u201cUnknown\u201d or still \u201cAffected\u201d status for about 35 per cent (1,550) of products catalogued. \u201cAttackers know what existing products have embedded Log4j weaknesses, such as the popular VMWare Horizon, and have already used the exploit in ransomware campaigns,\u201d the report says. \u201cIf you have not yet dealt with your internal Log4j patching, now would be a good time to get that into Q4 2022 and H1 2023 plans.\u201d<\/p>\n

\u201cThis is a new dynamic for many organizations,\u201d said Falzon, \u201cwho don\u2019t even realize they have these resources internally, and that they are both critical and exploitable.\u201d<\/p>\n

Over time, systems that look for vulnerable versions of Log4j2 will get better, he added, and as IT departments upgrade their security infrastructure, there will be fewer successful exploits. But the hole will continue to exist \u201cfor some time to come.\u201d<\/p>\n

In its report, the Cyber Safety Review Board said IT departments should:<\/p>\n

\u2022have a documented vulnerability response program;
\n\u2022continue to proactively monitor for and upgrade vulnerable versions of Log4j;
\n\u2022 prioritize applying software upgrades (using mitigations sparingly) to avoid errant conditions that would create exposure over the long term (for example, configuration mistakes that expose vulnerable attack surfaces);
\n\u2022 use robust business processes that prevent the reintroduction of vulnerable versions of Log4j (otherwise known as regressions);
\n\u2022 take a risk-based approach to remediate Log4j so they can address other high-severity vulnerabilities.<\/p>\n

Application developers and maintainers should:<\/p>\n

\u2022 establish a comprehensive approach to code maintenance that encompasses consistent secure development processes, and accounts for software security assessments and vulnerability management operations, as well as patch creation and co-ordinated disclosure;
\n\u2022 implement communication processes and mechanisms that provide consistent and relevant security messaging to software package users, noting all recommended data to include in a security advisory;
\n\u2022 leverage Integrated Development Environment (IDE) tools and add-ons for assisting in secure software development, consistent with NIST\u2019s Secure Software Development Framework;
\n\u2022 integrate source code scanning and tools that provide software maintenance status and versions to heighten their situational awareness of applications and software used within the environment.<\/p>\n

The report \u2014 issued six months after the discovery of the hole, said Log4j has become an endemic vulnerability that will be exploited for years to come.<\/p>\n

The post Log4j2 vulnerability on year later: \u2018It is still being exploited\u2019<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Lingering from 2021 and expected to be a worry for years, IT and security pros still have to face the Log4j2 hole. Read what they shoul<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[349,16,28],"tags":[470,548,391,755,396,393,275],"class_list":["post-33313","post","type-post","status-publish","format-standard","hentry","category-development","category-security","category-software","tag-application-developers","tag-check-point-software","tag-di","tag-log4j","tag-postmedia","tag-security-strategies","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=33313"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33313\/revisions"}],"predecessor-version":[{"id":33421,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33313\/revisions\/33421"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=33313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=33313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=33313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}