With Log4j vulnerability, the full impact has yet to come

There’s no way to sugarcoat it: the widespread vulnerability in Apache Log4j is going to be exploited for some nastier cyberattacks than those we’ve seen so far. And the worst of them may actually be months — or even years — into the future.

Sophisticated attackers often create a backdoor into an exploited server, enabling them to bypass security tools as they re-enter and exit. So even if an organization has patched against the vulnerability in Log4j, known as Log4Shell, the attacker may continue to have a way in.

If that sounds scary — well, it probably should.

“In many cases, attackers breach a company, gain access to networks and credentials, and leverage them to carry out huge attacks months and years later,” said Rob Gurzeev, cofounder and CEO of CyCognito.

New players

The vulnerability in the widely used Log4j logging library was publicly revealed a week ago, and an onslaught of more than 1 million attempted attacks have followed, according to Check Point. Researchers at the company said they’ve observed attempted exploits on more than 44% of corporate networks worldwide.

Most of the malicious attack volume over the past week has involved hobbyists or solo operators, said Casey Ellis, founder and chief technology officer at Bugcrowd. But evidence has emerged that more sophisticated attackers have begun to exploit the vulnerability in Log4j — such as initial access brokers linked to ransomware-as-a-service groups.

In comparison to the hobbyists, these attackers are more like a multinational enterprise, Ellis said.

“Their business model is built on scale and reliability of intrusion, as opposed to the more opportunistic bias of the ‘smaller fish,’” he said. “Sophisticated attackers don’t want to get caught before they’ve gotten their job done, so they tend to develop techniques and operating practices that make them quieter, and harder to see.”

Sophisticated attackers utilize this time to survey users and security protocols before executing the full brunt of their attacks, said Hank Schless, senior manager for security solutions at Lookout.

“Doing so helps them strategize how to most effectively avoid existing security practices and tools while simultaneously identifying what parts of the infrastructure would be most effective to encrypt for a ransomware attack,” Schless said.

Other activities can include exfiltrating data slowly — so slowly that it typically won’t be blocked or detected, Gurzeev said.

Evading detection

Hackers can definitely be detected in this situation, but they also continuously improve their tactics to ensure they can be undetected, said Asaf Karas, chief technology officer for security at JFrog. “We’ve already seen the use of obfuscation to avoid detection,” Karas said.

In the case of the Sony breach of 2014, for instance, the New York Times reported that the attackers spent two months mapping the company’s systems and identifying key files. (“They were incredibly careful, and patient,” a person briefed on the investigation told the Times, speaking of the attackers.) Wired reported that the attackers may have been stealing data over the course of a full year.

“If the motive is to steal sensitive information, you might want to just be really quiet and just listen in and steal data as it’s coming,” said Sonali Shah, chief product officer at Invicti.

But after a breach comes to light, it’s not always clear how the attackers even got in originally — especially if a large amount of time has passed. And that may very well be the case with any major attacks that stem from the vulnerability in Log4j, Gurzeev said.

“Since we might only learn about the attacks in months or years from now, it might be tough to correlate,” he said.

‘Sky is the limit’

Researchers have said they do expect more serious attacks, such as ransomware, to result from the vulnerability in Log4j. Many applications and services written in Java are potentially vulnerable to Log4Shell, which can enable remote execution of code by unauthenticated users. Vendors including Bitdefender and Microsoft have already reported attempted ransomware attacks exploiting the vulnerability in Log4j.

When it comes to remote code execution, “the sky is the limit on what an attacker can achieve as an end result as they pivot and execute commands on other apps, systems, and networks,” said Michael Isbitski, technical evangelist at Salt Security.

Due to the widespread nature of the flaw, “the long tail on this vulnerability is going to be pretty long,” said Andrew Morris, the founder and CEO at GreyNoise Intelligence. “It’s probably going to take a while for this to get completely cleaned up. And I think that it’s going to be a little bit before we start to understand the scale of impact from this.”

Response effort

The good news is that in some ways at least, businesses are in a better position to avoid a catastrophe now than in the past. This being 2021, many businesses are more primed to respond quickly — as evidenced by the rapid response of security teams late last week, many of which worked through the weekend to secure their systems.

Meanwhile, key technologies for defenders looking to root out the attackers sitting in their networks can include web application firewall (WAF) and intrusion prevention system (IPS) technologies, Ellis said.

“A motivated attacker will find a bypass for them, but the noise generated by everyone else will be turned down in the process, making their activities easier to see,” he said.

For larger organizations, “the big thing is to do everything you can to know where Log4j is or is likely to be in your environment, then logging everything and watching it — especially internally — like a hawk, and treat suspected attacks against these systems as though they were successful,” Ellis said.

For smaller organizations who might lack the headcount to do this, “working on an ‘assume breach’ basis and deploying honeypots and honeytokens is a low-noise, high-signal way to detect post-exploitation activity,” he said. Honeypots are fake “vulnerable” servers meant to catch attackers in the act, while honeytokens offer a similar concept but for data.

Ultimately, getting a handle on all of the assets and systems that the organization possesses is a critical first step, Gurzeev said.

“You can’t protect what you don’t know,” he said. “But once you know, you can set compensating controls, close the gaps, and take other steps to minimize customer risk and business risk — which should be everyone’s top priority.”