Third-party scans suggest that a significant number of large businesses that spent the first months in the wake of the Log4j discovery conducting rigorous asset inventory and rooting out instances in their software or hardware were able to reduce their risk from the vulnerability to near zero in the following months. Meanwhile, those that were sluggish to initially address the flaw early often saw their risk increase or compound as new, vulnerable assets were brought online over the year.
That’s according to an analysis by CyCognito released during the 2022 Black Hat conference in Las Vegas. The company conducted simulated adversarial scans of three dozen Global 2000 companies, finding a stark difference between companies that rushed to identify and close off assets that were exposed to the corrupted Apache code early and those who did not.
Generally, both groups saw new, vulnerable assets come online over the year. To that end, nearly two-thirds (62%) of the companies that discovered at least one asset vulnerable to Log4J in January still had exposed assets as recently of July. Of those companies, 1 in 5 (21%) saw their number of vulnerable assets — many in the form of web-based applications — more than triple from numbers reported in January. One firm that reported seven exposed assets in February saw that number balloon to 36 in July.
On the other hand, businesses who saw a measured drop in the number of exposed assets between January and July of this year were largely successful at preventing new instances from coming online. That subset of companies (38%) had zero exposed assets in July, according to CyCognito’s scans.
“There is definitely a correlation between being in a better spot today and investing significant energy on day one when this was released or exposed to fix the issue,” said CEO Rob Gurzeev in an interview.
Some caveats: CyCognito sells vulnerability scanning and asset inventory services that map out the attack surface of companies and their exposure to bugs like Log4J. Additionally, cybersecurity experts warn that external scans of an organization’s online-facing assets alone do not always reflect a company’s true exposure, as they frequently do not take into account internal configurations or other mitigations the company may be employing.
In this case, Gurzeev said their analysis does not rely on simply port-scanning internet-connected systems and assets that are known to contain Log4J code and “guess” at whether it is vulnerable, the way that many external security report cards tend to do.
He said CyCognito’s platform is different in two ways: it integrates automated security testing capabilities that can actually test the validity of an exploit, and they obtained the consent of the companies in the analysis to run code on their backend service to get a more accurate picture of whether the assets were truly vulnerable to exploitation.
The Log4j vulnerability, found in an open-source Apache tool that allows software developers to track changes in application code over time, is embedded in thousands of other software programs. That has made mapping out exposed products and assets a top priority for enterprises large and small, as well as government agencies like the Cybersecurity and Infrastructure Security Agency, which has called Log4j one of the most dangerous and far-reaching cybersecurity exploits in decades.
While evidence of widespread exploitation from nation-states and cybercriminal groups has not always matched the hype, officials at CISA have said that can partly be attributed to the all-out effort by government and industry in the immediate wake of the discovery to mitigate the worst of the known vulnerabilities. It also reflects the long-term nature of a threat that is expected to continue plaguing organizations for years to come.
A report in July by the Cyber Safety Review Board, a board made up of cybersecurity experts who review damaging vulnerabilities and their fallout, found that “Log4j remains deeply embedded in systems, and even within the short period available for our review, community stakeholders have identified new compromises, new threat actors, and new learnings.”
In January, CISA Executive Director Eric Goldstein said organizations mapping out their exposure to exploitation starts (but does not end) with their internet-connected assets.
“This will be a long tail of remediation. … We are prioritizing remediation of internet-connected assets first and foremost because as adversaries conduct their mass scanning, they will be targeting those assets first," Goldstein said. "Organizations public and private will have a significant amount of work to do to get past those internet-facing assets and mitigate vulnerabilities that are internal to their network as well as with custom software.”