Disclosed in mid-December 2021, Log4Shell has been called the “most serious vulnerability” of our time according to Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Agency. Easterly stressed that businesses should assume they are vulnerable and act now to protect themselves against the broad-reaching security flaw as its impact could be felt for years to come. Weeks later, many organizations are still struggling to figure out if their systems have the vulnerability.
But just what is Log4Shell? LookingGlass Chief Cyber and Technology Officer, Norm Laudermilch, teamed up with Shodan Founder and CEO, John Matherly, to give an overview of the vulnerability and share how the companies’ partnership is powering a new level of security visibility.
Let’s Start with Log4j…
Log4j is a nearly ubiquitous software component that records events—like 404 errors and routine system operations—then sends diagnostic messages about them to system administrators and users. It’s an open-source software provided by the Apache Software Foundation.
LookingGlass uses the name Log4Shell to describe the vulnerabilities in Log4j that were disclosed at the end of 2021. Unfortunately for the millions of companies and products using Log4j, Log4Shell exploits a capability that allowed users to create custom code for formatting log messages. This feature also enables third parties to submit code that can perform all kinds of malicious activities. These actions include accessing sensitive information, taking control of systems, and infecting users communicating with the affected server with malware.
What Makes Log4Shell so Problematic?
Beyond the ease to which this weakness can be exploited by even relatively novice hackers, a major concern about Log4Shell is Log4j’s position as a critical piece of IT infrastructure. Logging functionality is a key component of most software, making Log4j widespread in software supply chains. In addition to wildly popular games like Minecraft (where the vulnerability was first discovered), it’s used in Apple iCloud, Amazon Web Services, and even security tools. This particular vulnerability provides threat actors with an attack surface as broad as the internet that they can exploit to gain a foothold in potential victims’ network. Multibillion-dollar household name companies like Apple and Amazon have the resources to find and implement patches for Log4j in their software supply chains. But many businesses, including most critical infrastructure organizations, are finding it hard to know whether Log4j is being used in their interconnected systems because it is often bundled as part of other software. The way Log4j is incorporated into a product also dictates an organization’s response – yet another reason why the logging software’s diverse and widespread usage makes the vulnerability even harder to resolve.
Mapping Log4j Vulnerabilities with Shodan
To understand the breadth of the Log4j vulnerability, LookingGlass leveraged its longstanding partnership with Shodan. Shodan is a search engine that gathers information about Internet-connected devices and systems. Shodan detects devices that are connected to the Internet at any given time, the locations of those devices, and the software they’re running. These devices could be part of any number of systems, including business networks, surveillance cameras, industrial control systems, and smart homes.
Shodan collects an astounding amount of data on billions of publicly available IP addresses. While LookingGlass has partnered with Shodan for several years, recent improvements to our data science program now enable us to ingest more Shodan data. Our revamped data lake—which consumes nearly all of Shodan’s data—allows LookingGlass analysts to query Shodan information and correlate with open source intelligence, dark web chatter, and traditional threat intelligence to identify actionable insights at an unprecedented rate.
LookingGlass Log4j Findings
Using Shodan’s inferred vulnerabilities capability, the LookingGlass team configured our scoutPRIME solution to continuously monitor and assess the cyber risk for assets connected to the internet that likely had the Log4Shell. Within days of the vulnerability’s disclosure, LookingGlass analysts identified more than 12,000 internet-connected assets that were potentially vulnerable to Log4Shell and thatexhibited additional exposures and risks, such as bot infections, expired certificates, C2 nodes, and open ports.
After two weeks, the LookingGlass collection identified more than 21,000 assets that potentially have Log4Shell and categorized the ownership of these assets to highlight impacts to U.S. critical infrastructure. Our findings discovered:
- Nearly 700 Defense Industrial Base organizations affected
- More than 500 Communications companies affected
- More than 200 IT companies affected
Due to the number of applications that utilize Log4j for logging and the ease of exploitation of Log4Shell—and to better protect customers and the cybersecurity community—LookingGlass collected and correlated threat intelligence data from across our attack surface and threat intelligence solutions. Unsurprisingly, our findings indicate that the impact of Log4Shell will persist well into 2022, with more threat actors and ransomware groups utilizing the vulnerability.
What Organizations Should do About Log4j
As you can tell by now, Log4j’s impact is both immediate and vast. Here are a few things that organizations can do to prevent any further, or future, exploitation:
- Discover vulnerable assets: enterprises should continuously monitor their attack surfaces to identify assets running Log4j. Daily scans over the next several months will be critical to finding if you’re using a product with Log4j.
- Monitor the extended attack surface: government and critical infrastructure organizations should take a comprehensive approach to cybersecurity and monitor their vendors and supply chain attack surfaces to identify and manage risk associated with Log4Shell.
- Respond/Patch immediately: organizations should work with internal teams and third-party vendors to patch and monitor for new vulnerabilities.
- Monitor dark web activity: due to the number of applications that utilize Log4j and ease of exploitation, threat actors will continue to take advantage of this vulnerability into 2022. Organizations need continuous monitoring of dark web activity for proactive cyber defense
If you need assistance finding Log4j in your organization, get in touch with us today.