A survey of the post-Log4j landscape found few successful hacks linked to it. The bad news? Log4Shell will linger for years — so you need to prepare.
Log4Shell, the critical, remotely exploitable hole in the Log4j open source library sent shockwaves around the world when it was first disclosed in December, 2021. But it may not have produced as many dire outcomes as initially projected, a new report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has found.
In its first major report, CISA's Cyber Safety Review Board (CSRB) said its analysis of the fallout from the December, 2021 disclosure of Log4Shell found no evidence of significant cyberattacks stemming from the widespread vulnerability - despite ample evidence of scanning, and attempts to exploit the hole.
The surprising statement came in a 52-page report assessing the impact of Log4j, released on July 11. "Given the scale of use of Log4j, the ease of exploiting the vulnerable feature, and widespread reporting on the vulnerability, the Board expected to find during its review that the vulnerability had a significant impact on the safety of the digital ecosystem," the report reads. "However...the Board did not learn of any significant attacks impacting organizations, including attacks on critical infrastructure."
But the report cautions that the lack of conclusive evidence of attacks shouldn't be taken as proof that attacks didn't occur. Indeed, the lack of evidence may be attributable to weaknesses in the systems for reporting and tracking malicious cyber activity.
Spotty tracking of Log4Shell attacks
Among the factors complicating the Board's work: the lack of an "authoritative source from which to understand exploitation trends across geographies, industries, or ecosystems;" a lack of reliable reporting from organizations that may have been the victim of Log4Shell exploits; and noisy data in which scanning by governments, security companies and other "white hat" actors is indistinguishable from scanning by malicious actors.
With no central repository of information about Log4j-related breaches and no mandatory reporting requirements, CSRB and others were left guessing at the actual impact of the Log4j vulnerability on businesses and other organizations.
Log4Shell: Get used to it
Going forward, CSRB recommended that organizations remain vigilant to the risk posed by Log4Shell "for years to come." At the same time, CISA needs to expand its capability to develop, coordinate, and publish authoritative cyber risk information, the CSRB report argues.
Many of CSRB's recommendations amount to "basic blocking and tackling." Organizations should invest in capabilities like vulnerability management, patch management and improved information technology (IT) asset and application inventories.
Focus on secure software development
But CSRB's report foresees a bigger role for development organizations as well. The Board recommends that development organizations ramp up their secure software development practices. That includes steps like adopting standard practices and technologies to build secure software in accordance with frameworks like ISO 27034:2011160 and NIST’s Secure Software Development Framework.
CSRB also recommends that code maintainers formalize communications around security issues and take advantage of source code scanning and tools that provide software maintenance status and versions to heighten their situational awareness of applications and software used within the environment. Finally, organizations should embrace Software Bill of Materials (SBOM) tooling, CSRB said.
Want to learn more? Get the full CSRB report, Review of the December 2021 Log4j Event here.
Keep learning
- Find the best building blocks for your next app with RL's Spectra Assure Community, where you can quickly search the latest safe packages on npm, PyPI and RubyGems.
- Learn about complex binary analysis and why it is critical to software supply chain security in our Special Report. Plus: Take a deep dive with RL's white paper.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.