Remember when Log4j prompted us to wonder about “the quiet before the ransomware storm?”
Were hackers playing the long-game?
Nearly four months have elapsed since Alibaba’s Cloud security team initially reported the remote code execution (RCE) vulnerability within Apache Log4j. Upon the bug’s emergence, experts quickly gave the issue the highest severity rating – 10.0.
Accessible Log4j statistics
Patches were quickly created and distributed, but threat actors continued to launch more than 100 attacks-per-minute, contributing to serious concerns about ransomware and other malicious threat types.
- 46% of corporate networks incurred intrusion attempts related to Log4j.
- 21% of organizations experienced significant disruption due to Log4j.
- And more than 3 million attempts to exploit the vulnerability were made.
Are you only 99% certain?
By this point, if your organization hasn’t patched for Log4j, you’re probably 99% certain that it doesn’t exist within your system. If that shadow of a doubt is haunting you, use a vulnerability scanner to confirm.
Insecure Log4j downloads
Despite the general awareness of Log4j, and all that it represents, software developers are still downloading versions of Log4j released prior to December 2021’s security updates. One repository that’s responsible for housing open-source code clocked more than 7,500 of these downloads per hour.
The software’s ubiquity means that corresponding threats could hide within network ecosystems for years.
Log4j catalyzes action
The Log4j library issue served as a wake up call for many regarding how we source, build and secure software. According to 87% of survey respondents, the level of risk posed by open-source software means that it merits government regulation. Some also believe that federal agencies should mandate mitigation protocols for Log4j and similar types of vulnerabilities.
In the near-term future, commercial software vendors are expected to start providing software bills of materials to customers. This will help provide visibility into potential risks, and enable clients to quickly confirm whether or not they may be affected by any new vulnerabilities, thereby improving the overall cyber security posture of supply chains and industries.
Preparing for the next Log4j
In staying ahead of future open-source vulnerabilities, cyber security professionals may want to start by ensuring that they know their ecosystems, and that they know how to contact software vendors in case of urgent questions.
In the event that your organization relies on “home-grown” software, ensure that development teams keep organized notes regarding the third-party libraries that they rely on. In addition, services are available that can help scan open-source libraries for known vulnerabilities. Your organization may wish to consider working with such a service.
Also, process vulnerability notifications centrally, know where your incident response plan is located, know how to quickly access offline versions, and automate your remediation processes.
The answer is artificial intelligence
In the past five years, billions of new applications and pieces of software have made their way onto the market. Software engineers and cyber security professionals cannot keep up with the volume of potential vulnerabilities. The best approach is to leverage artificial intelligence in preventing zero-day threats, like Log4j, from interrupting your businesses processes.
For more information about using artificial intelligence to protect systems, please see CyberTalk.org’s whitepaper.
Lastly, to receive more information about trends, and to obtain exclusive cyber security resources, please sign up for the CyberTalk.org newsletter.