More than a month has passed since the reactive measure related to the Log4Shell vulnerability was issued. This vulnerability, CVE-2021-44228, is present in the Apache Log4j logging component and has the highest possible criticality score of CVSS 10.0. Log4j is used by hundreds of systems and applications for logging, the total number of vulnerable systems was estimated to be in the higher hundreds of millions of systems worldwide at the time of detection, making Log4Shell highly critical. The vulnerability allows to attack even systems that are not directly accessible from the Internet, execute code on them completely without authentication, and gain full control of the server. This allows attackers to obtain access credentials, read and exfiltrate data, or install other malicious codes, including ransomware, all with relatively little effort, since exploiting this vulnerability is not technically difficult.
The Log4Shell vulnerability was announced on 9 December and NCISA alerted to its presence on its website the next day. After several days of analyzing and evaluating the potential impact on Czech cybersecurity, the agency decided to issue a reactive measure pursuant to Section 13 of Act No. 181/2014 Coll., on Cybersecurity.
After NCISA issued the reactive measure on December 15, additional vulnerabilities were discovered in Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105). Once the security community´s eyes were focused on Log4j, researchers around the world began analyzing it and found additional vulnerabilities in the affected logging component. However, none of these vulnerabilities were as critical as the original Log4Shell, and none had been widely exploited. Although CVE-2021-45046 had a criticality score of 9.0, the recommendations in the reactive measure issued applied to the entire Log4j component and therefore no additional change was required. In general, however, organizations need to maintain awareness of new vulnerabilities and continually update all of their systems.
The consequences of Log4Shell are not yet as extensive as we expected in the context of such a critical vulnerability. The NCISA has registered three incidents as of 21 January 2022 and classifies all of them as “minor” given their limited impact:
- The administrators of the first organization decided to check for vulnerabilities in their systems after the NCISA issued the reactive measure. While implementing the recommended procedures, they found a log on one of their servers that indicated a possible security incident. The attacker was caught while trying to install a remote management tool on their systems;
- In the second case, the attackers installed cryptominer software on the attacked organization´s web server;
- In the third organization, attackers compromised a mobile device management server, but data shows they were unable to get deeper into the infrastructure.
The situation is similar in the rest of the world. Immediately after the vulnerability was announced, it was widely exploited by cryptominer and botnet groups, and one of the most active ransomware groups Conti used it to launch attacks. However, no serious incidents involving APT groups are yet publicly known.
There are several plausible explanations. The first is that the victims may not know they have been compromised. The compromise could have occurred quickly, and more sophisticated attackers could have quickly created another persistence and covered their tracks to indicate that Log4j was compromised. In fact, many APT groups often wait in their victims´ networks for the right moment to attack or attempt to remain undetected for cyber espionage purposes. Another explanation is that organizations have secured their Log4j products. After the reactive measure was issued, dozens of organizations have contacted the NCISA and requested system scans. The scans at most organizations were intercepted by scan-preventing technologies which means that third parties cannot easily determine whether or not vulnerable systems are present in their infrastructure. A sophisticated attacker would be able to bypass such measures in a targeted attack, but against general scans, where attackers try to discover vulnerable systems with as little effort as possible, the measures are effective.
Despite this, it is likely that the number of incidents registered by the NCISA in connection with the vulnerability is not final and more will be discovered. Log4Shell may also manifest itself in incidents where attackers can exploit it to move laterally within the infrastructure. Due to its nature, systems vulnerable to Log4Shell will continue in the medium term. Log4j is embedded in millions of programs and organizations are dependent on their authors to patch them. In addition, the Microsoft Threat Intelligence Center (MSTIC) has confirmed that APT groups are adding Log4Shell to their palette of tools in use. These are groups that generally have rather long-term goals and often try to remain undetected in their victims´ networks. Therefore, there is a real possibility that their attacks will materialize later.