Organizations should expect to see continued cyberattacks leveraging the Log4Shell vulnerability in 2023, cybersecurity company GreyNoise Intelligence says in a new report.
The Washington, D.C.-based internet scanning traffic analysis firm’s recently released report, the 2022 Mass Exploitation Report, dives deep into the most significant threat detection events of the past year, including touching on CISA’s growing catalog of Know Exploited Vulnerabilities, and other high-profile vulnerabilities in Atlassian and Apache products.
However, the Log4j vulnerability garners significant attention in GreyNoise’s report, with the company saying the full scope of attacks involving the bug will never be known.
There were many high-profile attacks against government, financial institutions, and other organizations, and Log4Shell has found its way into toolkits by a variety of hacking groups. In fact, the company has published blogs about a few instances, such as when hackers began using the exploit to target the Belgian Defense Ministry in late 2021, ransomware actors leveraging the bug and a North Korean group using it to hack U.S. energy companies.
While the brunt of Log4Shell activity came in December 2021 and January 2022, GreyNoise warns that organizations should expect to see “persistent internet-facing exploit attempts” as Log4j attack payloads become part of the new background noise of the internet. The exploit code has been baked into numerous hacking kits of threat actors at every level.
“It’s very low risk for attackers to look for newly- or reexposed hosts, with the weakness unpatched or unmitigated,” GreyNoise says in the report. “This means organizations must continue to be deliberate and diligent when placing services on the internet.”
The firm also urges vigilance of most post-initial access internal attacks using the Log4j exploit. CISA’s database of software affected by the vulnerability has stopped receiving regular updates, and about 35% of about 1,550 products are listed as either “unknown” or “still affected.”
“Attackers know what existing products have embedded Log4j weaknesses, such as the popular VMWare Horizon, and have already used the exploit in ransomware campaigns,” the company says in the report. “If you have not yet dealt with your internal Log4j patching, now would be a good time to get that into Q4 2022 and H1 2023 plans.”
According to a July 2022 report from the U.S. Department of Homeland Security’s Cyber Safety Review Board on the Log4j vulnerability, the bug will remain an issue for a decade or more, and GreyNoise seem to concur. The company says to expect “at least a handful of headline-grabbing Log4j-centric attacks” this year.
“Organizations have to strive for perfection, while attackers need only persistence and luck to find that one device/service still exposing this weakness,” the company says. “We will see more organizations impacted by this, and it is vital you do what you can to ensure yours isn’t one of them.”