February 24, 2023 By Ronda Swaney 4 min read

Vulnerabilities like Log4j remain responsible for security breaches a full year after the discovery of the flaw. In the months after widespread reporting about the vulnerability, 40% of Log4j downloads remained vulnerable to exploitation.

Rapid response — by both security teams and hackers

What made this exposure so damaging was how widespread this piece of code is and how hard it is to find exactly where it’s used. This open-source logging code from Apache was the most popular java logging library, clocking in at over 400,000+ downloads from GitHub. The code is embedded in many internet services and apps, including Twitter, Amazon, Microsoft, Minecraft and others. As an easily accessible piece of open-source logging code, developers used it rather than taking the time to create new code during development. In days after its discovery, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said in a CNBC interview, “The Log4j vulnerability is the most serious vulnerability that I’ve seen in my decades-long career.” She went on to say, “This is not something that will be patched and finished. This is something that we are likely going to be working on for months, if not years, given the ubiquity of the software and ease of exploitation.”

Publication of the vulnerability moved security teams to action. Apache listed all the projects affected by the Log4j flaw but publicizing the flaw also prompted bad actors to take advantage of slower-moving or understaffed team responses. Cybersecurity software business Check Point noted that within days of reporting the vulnerability, more than 60 new variations of the exploit were introduced in less than 24 hours.

Flaw still inspires new attacks

The initial Log4j vulnerability exposure was widespread and pervasive, but the danger remains, still threatening businesses. Threat landscapes shift with time. For example, Log4Shell is a vulnerability in Log4j 2. It allows a remote attacker to take control of a device on the internet if the device is running specific versions of Log4j 2. Apache created a patch, but that patch left part of the vulnerability unfixed, requiring second, third and fourth patches to fix new vulnerabilities as they were found. Threat actors rely on security and IT teams to be too busy and users too uninformed about threats to simply ignore these patches. As recently as November 2022, Iran-linked threat actors exploited Log4Shell via unpatched VMware. CISA observed suspected threat activity at a Federal Civilian Executive Branch (FCEB) organization. They determined that cyber threat actors had exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. From there, they installed crypto mining software to the server, moved to the domain controller, compromised credentials and then implanted Ngrok reverse proxies on several hosts.

This may be among the newest iterations of the Log4j threat, but they assuredly won’t be the last. And, of course, there will be new threats that arrive in new ways through other vulnerabilities. It’s clear that updating software and encouraging users to install patches isn’t enough. Even when organizations do their best to stay up to date on all patches, threats morph and move fast enough to make those patches outdated. It may seem updating devices and software belongs in the realm of IT. Still, given the urgency of security weaknesses and their business impact, security retrofitting needs to be a full-time concern.

Retrofitting as a central task for cybersecurity teams

Large organizations with thousands of devices and arduous processes for software and hardware updates remain especially susceptible, whether that’s to the Log4j vulnerability or as-yet-unknown vulnerabilities. Here are some tips on how to structure your team’s response plans and ensure you can retrofit security controls in the face of modern cybersecurity threats.

  1. Make addressing vulnerabilities a security team function. Software patches and device updates frequently fall to IT teams to accomplish. However, as noted above, patches and updates frequently can’t be done quickly enough to head off threats before they cause harm. Rather than overburden busy IT personnel, make threat vigilance and mitigation a security team function. Keep your security team on target by ranking priorities in order of urgency. Consider expanding this team if they’re stretched thin. Considering the cost to the business of falling prey to these attacks, the expense of expanding the team should be a reasonable price to pay for the added protection.
  2. Watch the watchers. Governments worldwide support cybersecurity agencies whose main mission is to warn organizations about cybersecurity threats. In the U.S., that organization is CISA. In the U.K., it’s the National Cyber Security Centre (NCSC). You can sign up to receive alerts from these and other trusted organizations. They describe the threat and offer resources and advice on how best to mitigate damage to your organization.
  3. Communicate early and often. Ensure there are open lines of communication between your cybersecurity and IT teams, as well as other mission-critical teams within your organization. Neither team can watch or know everything. Additionally, if the worst happens, it’s wise to have open communications with your vendors, partners and customers. If they put you at risk or you put them at risk, you need to know how and with whom to communicate if disaster recovery steps become necessary.
  4. Deepen your defense. Criminals are crafty. They will always look for — and find — the next opening to exploit. Your security practices should range from simple (strong passwords, multi-factor authentication or user controls) to more complex (vulnerability hunts or hackathons to find holes). Your organization might find a good threat-hunting program beneficial. The more security layers your organization erects, the less damage cyber criminals can do.
  5. Document — and practice — your plan. Disaster recovery plans go way beyond natural disasters. Resilient companies understand how all-encompassing modern disaster planning needs to be. Cybersecurity disaster planning outlines who own and runs the plan, where are the assets that require protection, how to stop damage and loss, when the plan should be updated and what strategies will best protect your company. Like any good plan, it’s not a one-and-done task. Security threats evolve, so your plan must be updated and practiced to ensure it’s current and that each team member understands the role they play.

Organizations of all sizes are vulnerable to security threats. Strengthening your security posture remains the only option in a world where cybersecurity threats continue to multiply.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today