A widespread cyber vulnerability overwhelming businesses and governments remains unresolved since its discovery last year.
Software security firm Rezilion said almost 60% of software packages affected by problems in the open-source logging platform, Log4J, were not patched four months after its discovery and the Biden administration is warning that hackers are continuing to exploit the flaw.
Rezilion said active exploitation attempts of the software’s vulnerability, Log4Shell, are ongoing and pointed to advanced persistent threats (APT) from China and Iran as among the cyberattackers who are using the flaw.
Yotam Perkal, Rezilion head of vulnerability research, said his team is seeing a pattern of people not paying attention to the risks posed by the security flaw in the widely used computer code, despite warnings from the private and public sectors, including the Cybersecurity and Infrastructure Security Agency.
“As a security practitioner you say to yourself, ‘OK, there’s no way at this point in time that organizations have yet to patch, like they’re not aware of it, they didn’t take the necessary steps to protect themselves or to reduce the risk,’” Mr. Perkal said on Thursday. “But then as we see now, with these APT groups that are actively exploiting it, with the CISA warning, with our report, that’s not the case.”
Last week, CISA and the U.S. Coast Guard Cyber Command issued an alert saying state-sponsored cyberattackers were using the flaw to get initial access into organizations that did not patch the problem or create workarounds. The agencies did not directly identify the attackers or victims.
The cybersecurity firm Mandiant has previously said it observed hackers from China and Iran using the vulnerability while Microsoft has said it saw groups from North Korea and Turkey doing likewise.
Hafnium, which Microsoft previously said was responsible for the hack of its Exchange servers, is among the Chinese hackers exploiting the vulnerability, according to Rezilion.
The list of potential victims spans many industries because of the widespread use of systems incorporating the cyber flaw. Industries involving food, water, transportation, power and manufacturing were among those exposed, the industrial control cybersecurity firm Dragos said last year.
Part of the reason why the flaw still exists is that it is sometimes difficult to detect.
“Within packaged software in production environments, Java files (such as Log4J) can be nested a few layers deep into other files — which means that a shallow search for the file won’t find it,” reads Rezilion’s report. “Furthermore, Java applications can be packaged in many different ways which creates a real challenge for tools trying to analyze them as they need to support each and every creative (yet possible) packaging format.”
Mr. Perkal said the vulnerability can be exploited by ransomware attackers, data thieves, and for use in other cybercrimes.
Putting a price tag on the Log4J chaos is difficult as the full extent of the damage is not yet known, but related cybercrimes have previously cost Americans billions of dollars.
For example, the FBI’s Internet Crime Report 2021 published earlier this year showed complaints rose 7% over 2020 and the cost of cybercrimes to victims exceeded $6.9 billion.
Business email compromise schemes, cryptocurrency crimes and ransomware were atop the list of cyber incidents reported to the FBI. The email schemes proved most costly, with victims losing nearly $2.4 billion last year.
The Biden administration may provide more information about the cyber vulnerability’s damage later this summer. Earlier this year, the Biden administration announced the creation of the Cyber Safety Review Board, tasked it with investigating Log4J, and said a report would be delivered this summer.