6 months later, the terrible Log4Shell error still affects thousands of companies

Like Covid, which seems to never end, will the Log4Shell computer virus ruin the lives of companies in the long run? However, this is a good start. Because six months after its appearance, the biggest computer error in history is far from being resolved for thousands of companies around the world, which are still suffering the consequences.

It all started on November 24, 2021. On that day, researchers discovered a major computer vulnerability, called “aepidemic incident“as described in La Tribune columns Erka Koivunen, security manager at F-Secure. Located in the Log4j software component, the defect quickly dubbed” Log4Shell “has created a real commotion among security teams. And for good reason : Log4j because it is used by thousands of Java-coded applications (one of the most widely used computer languages ​​in the world) and the incident is so concerned with millions of machines belonging to thousands of thousands of companies.

6 months later, even when overshadowed by fears related to the war in Ukraine, the threat of Log4Shell has not disappeared. The culmination of the crisis is past, but the weakness now begins a new life cycle. “When we arrive now at the end of the comet’s tail“, explains La Tribune Samuel Hassine, Cybersecurity Strategy and Operations Director of publisher Tanium. That is to say, the incident response period – much longer due to the specifics of the fault – has just ended. But even so, the exploitation of Log4Shell’s Malicious actors is still in its infancy.

A weakness that takes a long time to heal

Samuel Hassine reports a start to calm after more complicated months for some companies, which are struggling to track down the fault in their computer networks. “For some, fixing the defect only takes a few days.“, he developed. The Apache Software Foundation, which distributes Log4j, released a patch to fix the error when it became known. The problem is that it is up to every publisher who uses Log4j to deploy this patch itself.Some fell into it immediately, others pulled, even out of lack of interest or ignorance of the component.And here the crisis grew.

On the one hand, companies that use only a small number of applications, are often popular and new. It was immediately updated by the publishers of these applications, and so the crisis lasted for them only a few days. On the other hand, large companies have more complex and diverse computer networks. “In health, for example, a lot of software is coded in Java, and among them, some are very old and respond to specific tasks. The problem is that this old software can sometimes no longer be updated, and their publishers are out of reach in some cases.“, developed Samuel Hassine.

For the second category of companies, a real headache begins: they need to list the applications used on their computer equipment, find the user of Log4j, make sure the publishers deploy the patch , and updated applications. Problem: The update process is not as easy as it looks. “In some cases, an impact analysis must be done in advance to ensure that the patch does not damage everything.“, outraged Antoine Richer, application security expert at Accenture Technology in France.If it is not possible to deploy the patch, a virtual patch can also be deployed, removing the function responsible for the application-level vulnerability.“, he added. In other words, the security managers of the companies concerned have to decide each application on a case-by-case basis. A time-consuming and demanding lace job.

A mistake that is well -mixed in the arsenal of cyberattackers

As a direct result of this difficulty in fixing Log4Shell, in April, researchers at Rezilion warned that the error was still present in 90,000 applications and 68,000 servers exposed to the Internet (and therefore quickly maatake). And again, it’s just “tip of the iceberg“These thousands of vulnerable machines are all entry points for cybercriminals. As a result, Log4Shell exploit alerts have increased at regular intervals.

On June 23, Cisa – the American cybersecurity police – warned that Log4Shell was being exploited by malicious actors to reach VMware Horizon (workstation virtualization software) servers, widely used by businesses. Once these servers are identified, attackers can manipulate their victims ’computer workstations, searching for internal systems that contain sensitive data. Three months ago, Mandiant researchers accused the Chinese government-affiliated hacker group APT41, known as Halfnium, of successfully exploiting Log4Shell to spy on governments in “at least“six states in America.

In general, many cybercriminal groups-with monetary purposes for some, strategic for others-include Log4Shell in their attack kits, that’s to say the scam kit. which they tried to systematically exploit. In concrete, they scan Internet-connected machines to their targets to look for a whole set of widespread vulnerabilities (such as Log4Shell) for which they have methods of exploitation.

According to expert Jamie Moles of publisher ExtraHop, these features are attached even directly to botnets – networks of infected computer machines that can be used for hire to launch coordinated cyberattacks. Results: ExtraHop had 147,000 Log4j error scans in May alone, and almost as many as in previous months. Cybercriminals are all about finding the easiest (and cheapest) network access to their victims, and Log4Shell is a much quicker door to get into. “Java is one of the most widespread languages ​​in web applications, which by definition is evident on the Internet“, Recalls Antoine Richer.

Many developers are downloading weak versions of Log4j

If Log4Shell continues to be exploited, it’s not just because of the delay in deploying patches. Publisher Sonatype has observed for several months a strange phenomenon that is not debilitating: more than a third of Log4j versions are downloaded from Mazen (one of the reference directories) not new, and therefore there are errors. In other words, developers have integrated a software component that is vulnerable to attacks. In February, the company’s CTO Brian Fox told the Wall Street Journal that it affected developers “do not know what happened to their softwareSince then, he has consistently presented his observations, which have failed to change the status quo.

Asked by a U.S. Senate committee in February, the president of the Apache Software Foundation recalled that there are many scenarios that justify the use of older versions of Log4j, for example to conduct security research or because other components requires keeping an old version. But these particular cases are not enough to account for more than 33% of downloads of weak versions.

To avoid continuing on this path, professionals try to learn from security incidents like Log4Shell. “The application security community is particularly interested in the supply chain “, Antoine Richer explained,”ohn known which is a big part in the application code we created from external libraries. You need to know what you are importing into your code, in order to master its application and react more effectively in the event of an incident.“These very best practices are slowly taking hold, but mistakes continue to be discovered at a rapid pace.