Skip to main content
close search
site logo
Dive Brief

Log4j activity expected to play out well into 2022

Published Jan. 4, 2022
David Jones's headshot
Reporter
Server room (Sefa Ozel/Getty)
Sefa Ozel/Getty via Getty Images

Dive Brief:

  • As U.S. industries and government agencies restart operations after the winter holiday break, security researchers are warning the impacts of the Log4j vulnerability will continue to leave organizations open to potential threats in the coming weeks and months. 
  • "Exploitation attempts and scanning remained high during the last weeks of December," Microsoft said in an updated blogpost. Attackers have added exploits to existing malware kits and tactics, ranging from coin miners to hands-on-keyboard attacks. 
  • The Apache Software Foundation released version 2.17.1 of Log4j last week, the latest in a series of updates since the vulnerability was disclosed in December. The newly released fix addresses the risk of remote code execution when an attacker with certain permissions can create a malicious configuration using a JDBC Appender, according to Apache. 

Dive Insight:

Security researchers say the longer term effects of Log4j are just beginning to play out across the industry.

"As we move into 2022 we are seeing the ripples on the effects of the Log4j critical vulnerability being the new preferred threat vector for cybercriminals," said Chuck Everette, director of cybersecurity advocacy at Deep Instinct.

Log4j downloads on Maven Central surpassed 8 million since the vulnerability was first disclosed, according to Brian Fox, CTO at Sonatype. The latest release 2.17.1 saw the lowest adoption rate of all the releases, as a number of security researchers raised questions about whether the CVE-2021-44832, should have been treated as a full vulnerability. 

Researchers from Checkmarx said the vulnerability created the potential of arbitrary code execution, after a dispute arose over prior claims

Most federal agencies have patched or used alternate mitigation methods to resolve the potential exposure to Log4j issues, according to the Cybersecurity and Infrastructure Security Agency (CISA). The agencies had a Christmas Eve deadline to take remediation steps.

"Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support 'solution stacks' that accept data input from the internet," a CISA spokesperson said.

In mid-December, researchers from Mandiant and Microsoft warned that nation-state actors were attempting to use the Log4j vulnerability to launch attacks against potential targets. 

CrowdStrike disrupted an attack against a large academic institution by China-based threat actor Aquatic Panda, according to a blogpost from the security firm. The attack was detected amid suspicious activity involving a VMware Horizon Tomcat web server. VMware issued guidance in December regarding potential Log4j vulnerabilities connected to VMware Horizon. 

"The security of our customers is a top priority at VMware as we respond to the industry-wide Apache Software Foundation Log4j vulnerability," a VMware spokesman said in a statement. The company issued a security advisory on Dec. 10, which includes regular updates and fixes and the firm is encouraging customers to subscribe to its security advisories mailing list.

CrowdStrike researchers declined to provide any specific geographic information or other details on the attacked organization. 

"While we cannot directly state that we are seeing broader use of this particular vulnerability by espionage actors, its viability as an access method is already proven," Param Singh, VP of Falcon OverWatch at Crowdstrike told Cybersecurity Dive via email. 

Aquatic Panda is connected to industrial espionage and intelligence collection and linked to activity starting in May 2020, according to CrowdStrike. Prior targets have mainly involved telecommunications, technology and government entities and the threat actor has relied heavily on Cobalt Strike to launch attacks, including the use of a downloader known as FishMaster, according to CrowdStrike. 

VMware officials noted that any internet-connected service that isn't yet protected against Log4j is vulnerable, and recommended immediate patching.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell