Log4j Exploits in the Wild

As you hopefully know by now, Log4Shell is a zero-day unauthenticated Remote Code Execution (RCE) vulnerability in Log4j versions 2.0-beta9 up to 2.14.1 identified as CVE-2021-44228. Log4Shell scores a perfect 10.0 on CVSS, the maximum possible criticality for a vulnerability. Since the initial vulnerability and subsequent patch, there have been several other vulnerabilities discovered and patched – visit our blog for a full timeline of events.

It’s been nearly a month since the initial vulnerability was disclosed, and exploit attempts continue to ramp up. Security firm Check Point said that over 4.3 million attempts to exploit CVE-2021-44228 have been detected thus far on nearly half of corporate networks.

Microsoft notes that exploitation is also being attempted by Advanced Persistent Threat Actors (APTs) and nation-state actors, as it appears this vulnerability is being added to malware kits and tactics used by threat actors.

Based on this data, it’s clear that threat actors are taking advantage of the vulnerability, likely faster in some cases than organizations can identify Log4j and patch. If you still haven’t patched your environment, we recommend doing so as soon as possible, but also monitoring closely for indicators of compromise due to the availability of the exploit code.

How is the Government Responding?

The exploit statistics certainly are sobering, and all signs point towards continued, widespread scanning and subsequent exploitation of Log4Shell. So, how is the government handling things?

Yesterday, the Federal Trade Commission (FTC) published a blog to make their stance on the situation clear, stating:

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

Essentially, organizations need to patch or otherwise adequately remediate Log4j to protect data, or else risk heavy fines similar to Equifax enforced via the Federal Trade Commission Act.

What Needs to Be Done?

In order to adequately protect your environment and the data within, patching your systems is the best course of action. Visit the Apache Log4j downloads page for the latest version, and upgrade your systems as soon as possible. To determine what systems to upgrade, you can use the scanner provided by the Cybersecurity and Infrastructure Security Agency (CISA).

If you aren’t able to patch immediately, temporary remediation can be applied via a script, such as this Automox Worklet that will remove jndilookup.class from the log4j-core-*.jar file and protect against CVE-2021-44228 until the patch can be applied.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.