Major Government Attack Highlights How Log4j is Still Unresolved

News of a major exploit using the Log4j vulnerability four months after its disclosure has been a painful reminder that the issue is still a serious problem. Reports are now linking China’s APT41 hacking group with breaching at least 6 U.S. state government networks and the situation may go from bad to worse. As reported by Venturebeat:

“… in all likelihood, the full extent of the damage will still be unknown for some time. For instance, attackers may be waiting for an opportune time to use the access they gained through breaching systems using Log4Shell.”

As Sonatype CTO Brian Fox explained,

“These events track with the typical time lapse we’ve seen with zero-day vulnerabilities like Log4Shell. The Equifax breach, which was similar in nature, took around five months to clear the airwaves from the initial exploit. So, from a historical perspective this isn’t surprising: a high-spread, low-complexity vulnerability equals a 100 percent chance of being used.”

Sponsorships Available

Sponsorships Available

Sponsorships Available

There are other published examples of successful Log4j exploits, including Fintech ransomware, the Belgium defense ministry, and a Dridex banking trojan. However, no issue so far has risen to this level of potential harm.

How did we get here?

It was only a day after the initial announcement that the CVE-2021-44228 exploit was published. Federal employees were asked to work over the holiday to help resolve issues that could affect infrastructure and national security. In January, U.S. officials were warning about long term fallout from Log4j and the FTC issued a warning to companies who did not remediate this issue.

The Biden White House even addressed issues for both public and private entities.

Log4j event timeline

With all the press and attention given, there remained hope there wouldn’t be a significant intrusion, but the ease (Read more...)