Study: 30% of Log4Shell instances remain vulnerable

On December 9, 2021, a critical zero-day vulnerability affecting Apache’s Log4j2 library, a Java-based logging utility, was disclosed to the world and broke the internet.

As the third most used computer language, Java is practically ubiquitous, and its Log4j2 library is extremely popular, with an estimated 15 billion devices around the globe currently running Java. The worst part is that Log4j is hard to find and easy to exploit, which places hundreds of millions of Java-based applications, databases and devices at severe risk.

The full scope of risk presented by the vulnerability is unprecedented, spanning every type of organization across every industry. Due to the ease of the exploit combined with the difficulty in uncovering the vulnerability within your organization, Log4Shell is the proverbial needle in a haystack.

Cybersecurity and Infrastructure Security Agency director Jen Easterly noted that Log4Shell is the “most serious” vulnerability she has witnessed in her decades-long career. She urged business leaders not to delay remediation processes, noting that this vulnerability could take years to address. Remediating this vulnerability would not be a simple, one-and-done process, and multiple detection methods would be required.

Quick to patch, quicker to exploit

As many companies prepared to operate with skeleton IT staff in the last two weeks of 2021, hackers and attackers saw an opportunity. It didn’t take long for this critical Java vulnerability to be exploited in the wild. Nearly 1 million attack attempts were launched in just 72 hours following the vulnerability’s disclosure.

What’s worse, as part of an ongoing information-gathering operation, notorious Chinese hacking group APT41, which breached local government agencies in at least six U.S. states in the last 10 months, quickly leveraged Log4Shell as the primary vector to infiltrate at least two of the states’ computer systems.