4 months after the discovery of the zero-day Log4Shell critical issue, millions of Java applications still remain vulnerable to compromise, researchers have now found.
Researchers at security firm Rezilion analysed the current potential attack surface for the vulnerability in the popular open-source Apache Log4j framework that threatened to ‘break the internet’ when it was discovered in Dec.
Apache Log4j
The flaw in the Java logging library Apache Log4j is easily exploitable & can allow unauthenticated remote code execution (RCE) & complete server takeover.
Rezilion expected that due to the “massive amount of media coverage” the bug unsurprisingly received, the majority of applications would already be patched, Head of Vulnerability Research Yotam Perkal wrote in a report published Tues. However, their analysis found a very different story, he stated.
“We learned that the landscape is far from ideal & many applications vulnerable to Log4Shell still exist in the wild,” Perkal wrote in the report.
Evidence
Researchers did a search on the Shodan search engine to see how many apps vulnerable to Log4Shell are exposed to the internet. They identified 90,000 potential vulnerable internet-facing applications, which they believe “is just the tip of the iceberg in terms of the actual vulnerable attack surface,” Perkal wrote.
Researchers divided the apps into 3 categories; the 1st 2 are containers that in their latest version, still contain obsolete versions of Log4j; & containers that while their latest version is up to date yet still show evidence of using previous versions.
Minecraft
The 3rd category are publicly facing servers of the world’s favourite internet game Minecraft, which highlight the risks with outdated proprietary software, researchers noted. Its Minecraft sites are where the vulnerability 1st turned up & apparently still persists.
Researchers cited other sources for further proof that the Log4Shell attack surface remains large. One was the Google service Open-Source Insights, which scans millions of open-source packages. The service found that out of a total of 17,840 packages affected by the flaw, only 7,140 were patched, making nearly 60% still vulnerable.
Aren’t Patched
Moreover many applications are still using Log4J version 1.x & likely aren’t patched because the original Log4Shell vulnerability, tracked as CVE-201-44228, doesn’t apply to this version, researchers noted.
This is a misconception as that version has been “in an end-of-life state since Aug. 2015 (which means it does not get any security updates), & contains plenty of other vulnerabilities, including RCE vulnerabilities, Perkal noted.
“This should definitely worry organisations that are still using it,” he wrote.
Active Exploitation
Most worrying about the vulnerable attack surface is that Log4Shell remains a large target for threat players, researchers noted. Attackers immediately set upon the bug when discovered—already under active exploitation & have not stopped since.
While Apache released a patch for Log4Shell within a day of discovery, it, too, had issues that could lead to DoS attacks & apparently still hasn’t been applied in many cases.
First attempts to exploit the bug in the wild were aimed at ransomware deployment & coin miners; however, as time when on APT groups joined in & began using the flaw seriously, researchers explained.
Chinese APT 41
Recently, active exploitation of Log4Shell has been linked to the Chinese APT 41 group & Deep Panda, Perkal stated. Before this, the Chinese state-sponsored espionage group HAFNIUM & Iranian-backed groups APT35 (aka Newscaster) & Tunnel Vision also targeted this flaw.
Currently there are still dozens of recorded daily exploitation attempts of Log4Shell, according to a honeypot set up by the SANS Internet Storm Centre, researchers concluded.