6 months later, the terrible Log4Shell error still infects thousands of companies

Like Covid, which never seems to end, will Log4Shell computer virus rot the corporate life for a long time to come? At least it’s a good start. For six months after its emergence, history’s biggest computer bug is still far from solved for thousands of companies around the world who are still suffering the consequences.

It all started on November 24, 2021. That day, researchers discovered a major computer vulnerability, called “oneepidemic event“as described in the columns by La Tribune Erka Koivunen, head of security at F-Secure. Located on the Log4j software component, the bug that quickly got the name” Log4Shell “had caused a real stir in the security teams. And with good reason: Log4j was used by thousands of applications encoded in Java (one of the most widely used computer languages ​​in the world), and the incident therefore concerned millions of machines belonging to thousands of companies.

6 months later, despite being overshadowed by fears related to the war in Ukraine, the Log4Shell threat has not disappeared. The peak of the crisis has passed, but vulnerability is now beginning a new life cycle. “We arrive today at the end of the comet’s tail“, explains to La Tribune Samuel Hassine, Cybersecurity Strategy and Operations Director for publisher Tanium. vorden.

A vulnerability that takes a long time to correct

Samuel Hassine reports a beginning of calm after very complicated months for certain companies that have struggled to track down the error in their computer network. “For some, fixing the bug took only a few days. But for others, depending on external publishers, it dragged on over time.“, he develops. Apache Software Foundation, which distributes Log4j, released a patch to correct the bug as soon as it became known. The problem is that it was then up to each publisher that used Log4j to implement this patch themselves. Some fell down.to it immediately, pulled others out, either out of lack of interest or ignorance of the component, and it was here that the crisis escalated.

On the one hand, companies that use only a small number of applications, most often popular and newer. The publishers of these applications updated them immediately, and the crisis therefore lasted only a handful of days for them. On the other hand, larger companies with more complex and diverse computer networks. “In health, for example, there are many programs coded in Java, and among them are some very old and responsive to very specific tasks. The problem is that these old software are sometimes no longer updated and their publishers are not even available in some cases.“, Develops Samuel Hassine.

For this second category of companies, a real headache started: they had to list the applications used on their computer equipment, find those who use Log4j, make sure that the publishers have installed the patch, and update the applications. Problem: The update process is not as easy as it seems. “In some cases, an impact assessment must be performed in advance to make sure that the patch does not break everything.“, tempered Antoine Richer, application security expert at Accenture Technology in France.”If it is not possible to implement the patch, it is also possible to implement a virtual patch, which removes the functionality responsible for the application-level vulnerability“, he adds. In other words, the heads of security in the companies in question had to assess each application on a case-by-case basis. A time-consuming and demanding lace-up job.

A bug that is well integrated into the arsenal of cyber attackers

As a direct consequence of this difficulty in addressing Log4Shell, Rezilion researchers warned in April that the bug was still present on 90,000 applications and 68,000 servers exposed to the Internet (and therefore vulnerable to attack). And again, it was just “the top of the iceberg“These thousands of vulnerable machines are all entry points for cybercriminals. As a result, Log4Shell exploitation warnings are multiplied on a regular basis.

As recently as June 23, Cisa – the US cyber security policeman – warned that Log4Shell was being exploited by malicious actors to reach servers of VMware Horizon (workstation virtualization software) which is widely used by companies. Once the attackers have been introduced to these servers, they can move around their victims’ computer workstations and look for internal systems that may contain sensitive data. Three months earlier, Mandiant researchers accused the Chinese government-affiliated hacker group APT41, known as Halfnium, of successfully exploiting Log4Shell to spy on governments in “at least“six U.S. states.

More generally, many cybercrime groups – with financial goals for some, strategic for others – have included Log4Shell in their set of attacks, that is, in the set of tricks that they try to exploit systematically to get into the network of their goals. Specifically, they scan the machines connected to the Internet for their targets in the hunt for a whole set of very common vulnerabilities (like Log4Shell) for which they have the methods of exploitation.

According to expert Jamie Moles of publisher ExtraHop, these features are even incorporated directly into botnets’ networks of infected computers that can be hired to launch coordinated cyber attacks. Result: ExtraHop had 147,000 scans of the Log4j error in May alone, and almost as many in previous months. Cybercriminals are about finding the easiest (and cheapest) access to their victims’ networks, and Log4Shell is a particularly easy door to get into. “Java is one of the most widely used languages ​​in web applications, which by definition are exposed to the Internet“, Remembers Antoine Richer.

Developers download massively vulnerable versions of Log4j

If Log4Shell continues to be exploited, it’s not just because of a delay in the implementation of patches. The publisher Sonatype has for several months observed a strange phenomenon that does not weaken: more than a third of the versions of Log4j downloaded from Mazen (one of the reference folders) are not up to date and therefore contain the error. In other words, developers integrate a software component that is vulnerable to attack. In February, the company’s CTO Brian Fox told the Wall Street Journal that it affected developers “do not know what is going on in their softwareSince then, he regularly presents his observations without succeeding in changing the status quo.

Asked by a U.S. Senate committee in February, the president of the Apache Software Foundation recalled that there were several scenarios that justified the use of older versions of Log4j, for example, to conduct security investigations or because other components require an outdated version. But these particular cases are not enough to explain the more than 33% of downloads of vulnerable versions.

To avoid continuing down this path, professionals try to learn from security incidents such as Log4Shell. “The application security community is increasingly interested in supply chain “, explains Antoine Richer,”ohn becomes aware that a large part of the code for the applications we develop comes from libraries coming from outside. You need to know what you are importing into your code to master its use and respond more effectively in the event of an incident.“These best practices are gradually taking hold, but the flaws are still being discovered at a breakneck pace.