Homeland Security Warns Log4j’s 'Endemic' Threats for Years to Come

The U.S. Department of Homeland Security (DHS) released a report this week to warn of the continued risk posed by the Log4j vulnerability discovered in late 2021 and called it an “endemic vulnerability.”  The U.S. Department of Homeland Security (DHS) released a report this week to warn of the continued risk posed by the Log4j vulnerability discovered in late 2021 and called it an “endemic vulnerability.”  The study is conducted by the Cyber Safety Review Board, which was established in February following President Biden’s Executive Order on improving the nation’s cybersecurity. DHS Under Secretary for Policy, Strategy, and Plans Rob Silvers leads the board, and Google’s Senior Director for Security Engineering Heather Adkins serves as the deputy chairwoman. For its first report, the board worked with nearly 80 organizations and individuals to gather insights into the Log4j vulnerabilities and develop 19 actionable recommendations. Google’s VP of Security Royal Hansen noted the company was one of the participants and shared its own experiences in responding to this and other incidents.  The board reviewed the events surrounding the disclosure of the flaw in the popular Apache Log4j open source logging tool. “A vulnerability in such a pervasive and ubiquitous piece of software has the ability to impact companies and organizations (including governments) all over the world,” Silvers and Adkins stated in the report. They warned that “the Log4j event is not over,” and asked organizations to stay vigilant. The vulnerability remains deeply embedded in systems as participants have identified new compromises and threat actors during the review, they pointed out. This finding is in line with threat researchers’ initial reactions that very few organizations will escape Log4j. Late last month, Cybersecurity and Infrastructure Security Agency (CISA) released another advisory to warn defenders that cyber threat actors, including state-sponsored advanced persistent threat actors, have continued to exploit Log4j vulnerabilities in VMware Horizon and unified access gateway (UAG) servers.  U.K.’s National Health Service (NHS) sent out a similar warning in January, and VMware urged users to patch affected systems and/or implement workarounds. The company also found evidence of the ongoing threats. VMware’s NSX network detection and response has tracked over 25 million Log4j exploit attempts in various organizational environments, its global security technologist Chad Skipper noted. “We’ve seen a positive response to virtual patching that can help teams mitigate risks by offering a quick and temporary prevention of an exploitation while the security engineers adapt and implement a remedy to eventually mitigate actions.” “The Board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer,” executives warned in the report. “Significant risk remains.” Calling it “somewhat surprising,” the Cyber Safety Review Board found the Log4j exploitation mostly occurred at lower levels than many security experts predicted. And the board is not aware of any significant Log4j-based attacks on critical infrastructure systems for now, according to the report. However, this doesn’t necessarily mean those high-level attacks never happened. The executives added that many organizations do not collect information on Log4j exploitation and reporting is largely voluntary. Plus, no authoritative source exists to understand the global exploitation trends. The board reiterated that organizations should be prepared to deal with Log4j-related threats for years to come. It also calls for public and private sector collaboration on this issue, asking organizations to continue to report exploitation and government agencies to expand authoritative risk information sharing and drive implementation of CISA guidances. Additionally, the board recommended having good security hygiene and adopting industry-accepted practices and standards for vulnerability management, transforming into a better software ecosystem with a proactive model of vulnerability management, and pursuing cultural and technological shifts for long-term national defense.  “Cyber vulnerabilities will continue to be around and will evolve and become more sophisticated over time,” Skipper echoed. “Continuous perseverance and drive for security hygiene is one of the most effective paths in mitigating exposure.”