70% of large enterprises that previously patched the Log4j flaw are still struggling to patch vulnerable Log4j assets.
In December 2021, security teams raced to find vulnerable Log4j assets and fix them. Eight months later, many Global 2000 companies are still struggling to mitigate the digital assets and business risks associated with Log4j. The ease of Log4j The exploitation of vulnerabilities coupled with the critical nature of the bug, which allows attackers to execute arbitrary code in the cloud and corporate networks, makes it imperative to find vulnerable assets and fix them quickly.
A CyCognito review of large enterprise external attack surfaces found that 70% of enterprises that previously addressed Log4j in their attack surface still struggle to patch assets vulnerable to Log4j and prevent new instances of Log4j from resurface in their computer stack.
Our research highlights business continuity risks such as digital asset proliferation, subsidiary risk, and the importance of reducing the time it takes to identify and remediate a vulnerable Log4j asset.
Log4j: Analysis of current and lasting legacy
On December 9, 2021, the critical Log4j vulnerability (CVE-2021-44228) was first identified and assigned a severity rating of 10 out of 10. This is a code execution class flaw remote found in the Apache Log4j library (part of the Apache Logging Project). This Log4j vulnerability is considered extremely dangerous because it is easy to exploit and shortly after its discovery, a public proof of concept became available.
Eight months later, Log4j has proven to be one of the worst vulnerabilities of years, if not a decade.
A July report (PDF) from the US Department of Homeland Security stated, “The Log4j event is not over. Log4j remains deeply embedded in systems, and even in the short time available for our review, community stakeholders have identified new trade-offs, new threat actors, and new learnings.
Our proprietary Log4j analysis examines the external attack surfaces of three dozen Global 2000 companies, securely protected by CyCognito solutions. This report highlights the cybersecurity risks of Log4j faced by non-CyCognito customers and the entire cybersecurity community.
Incidents of vulnerable Log4j assets discovered by the CyCognito platform are based on simulated adversarial analyzes of exposed assets in the wild. These instances of Log4j (now mitigated) represented briefly exposed assets that, if ignored, could have allowed an attacker access to the cloud or on-premises assets and networks of these organizations.
Log4j’s main takeaways for July 2022:
- Instances of assets vulnerable to Log4j are increasing and not decreasing in a subset of companies examined.
- Some companies are seeing a doubling of digital assets vulnerable to Log4j within their external attack surface, not a decrease.
- Only 30% of companies that had at least one issue with Log4j had no assets vulnerable to Log4j at the time of our analysis.
- Of these exposed Log4j-vulnerable assets, the most common were web applications.
Explore data points
Grow without shrinking: After eradicating an external attack surface of digital assets vulnerable to Log4j, new instances of systems vulnerable to Log4j have come back online.
Among companies with at least one Log4j vulnerability discovered in January 2022, 62% continued to report one or more vulnerable Log4j assets exposed in July. The search did not indicate whether these were new or existing exhibits.
Among companies that had an asset exposed in July, 38% saw a gain in one or more assets vulnerable to Log4j. The data indicates that, for many enterprises, instances of new assets exposed to Log4j remain a growing problem.
Duplicate the Log4j problem: A review of organizations found that 21% of those with vulnerable assets in July experienced triple-digit growth in the number of exposed Log4j vulnerable assets compared to January.
While the initial number of vulnerable assets was low within each organization examined, more than half a dozen are seeing a steady increase in the number of Log4j vulnerable assets. A company, with seven assets exposed in February 2022, had 39 assets exposed in July.
Rare success rates: The number of organizations that experienced a decline in vulnerable assets was 38%. In each of these cases, CyCognito found no instance of Log4J in its attack surface exposed to the internet in July.
Thirty-four percent of companies with more than one vulnerable asset in January had the same number of exposed assets in July.
Web app concerns: Breaking down the numbers even further, the data reveals that companies with vulnerable assets had a greater number of web applications vulnerable to a Log4j exploit compared to other types of systems.
This is concerning given that web applications pose a high risk to businesses and their users, as they often access or contain sensitive, confidential or personally identifiable financial information.
Why companies are struggling to undo Log4j
A CyCognito analysis of why companies struggle to eliminate Log4j vulnerabilities once and for all is manifold.
First, organizations have underestimated the deep-rooted prevalence of Log4j software, and software vendors have yet to rid their products of vulnerable Log4j code. The battle to mitigate vulnerable Log4j assets is exacerbated by the introduction of new exploitable Log4j instances on an attack surface.
This trend is also driven by the sprawl of the attack surface, risks related to subsidiaries and business units, mergers and acquisitions (M&A) and a time lag in remediating vulnerabilities (known as mean time to resolution or MTTR).
CyCognito found that among Global 2000 companies, M&A activity increases or decreases an organization’s attack surface by 5.5% each month (PDF). Organizations were initially ignoring 10-30% of their affiliates, according to a separate CyCognito study published in June.
(See the June CyCognito report: “Does anyone have a map?”)
Global consultancy Bain & Company reports that M&A activity in 2022 is expected to reach US$4.7 trillion in deal value, making it the second highest year on record. This type of business change, combined with emerging risks and poor visibility of the IT ecosystem, makes it extremely difficult for security and IT leaders to get a 360-degree view of the big picture. of their outer attack surface. This increases the chances that security holes in their attack surface will go unnoticed, exposing them to dangerous and preventable risks such as Log4j.
Why focusing on risk rather than vulnerability is paramount for Log4j exposures
Growing trends in the proliferation of external attack surfaces make it harder for security teams to reduce the mean time to fix vulnerabilities, including Log4j.
In June 2021, the average time to fix a high-risk application vulnerability was estimated at 246 days (8.2 months), up from 194 days (6.5 months) at the start of that year, according to a study by Synopsys.
A CyCognito-sponsored research report by Informa Tech found that security teams suffer from cybersecurity debt issues. This is when new cybersecurity issues overwhelm the ability of security teams to mitigate existing issues.
The problem is compounded by inadequate and incomplete security scanning of external attack surfaces for vulnerabilities and other risks. CyCognito has discovered that competing discovery tools can leave between 10-50% of digital assets undiscovered and therefore untested and ignored.
Informa Tech found that the majority of security teams only have the bandwidth to fix about 50 vulnerabilities in an average month. Given the deluge of new vulnerabilities discovered each month, current patch rates are insufficient to keep pace with high-risk and critical vulnerabilities such as Log4j issues.
That’s why CyCognito advocates a business risk-driven approach to cybersecurity management, which focuses on identifying and addressing the most pressing risks (such as Log4j) immediately within an attack surface.
If you want to know how CyCognito can help organizations detect and remediate the business risks of Log4j through its unparalleled ability to continuously discover its customers’ external attack surfaces, take a look at the original analysis of the company :
About the Author: TOM SPRING, MEDIA MANAGER
Tom Spring, Media Manager, is a veteran journalist and editor who has helped bring stories to life for over three decades.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, Log4j flaw)