One year ago, a newly discovered zero-day vulnerability rocked the world of cybersecurity, but 12 months on, there are clear signs that vital lessons haven’t been learned.
The catchily-titled CVE-2021-44228 was and still is an easy to exploit vulnerability in the widely used Java logging library Apache Log4j, which enables attackers to remotely gain access to and take control of machines and servers.
Upon discovery, it was a massive concern, because the ubiquitous nature of Log4j meant it was (and is) embedded in a vast array of applications, services and enterprise software tools that are written in Java and used by organizations and individuals around the world.
Such was the danger posed by Log4j that the National Institute of Standards and Technology (NIST) gave the vulnerability a Common Vulnerability Scoring System (CVSS) score of 10 – classing it as a highly severe, critical vulnerability – and within hours of disclosure, it was being exploited by cyber criminals.
Also: Cybersecurity: These are the new things to worry about in 2023
No wonder CISA chief Jen Easterly described the Log4j vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious” – and it affected hundreds of millions of devices.
Security updates and mitigations were swiftly rolled out, yet a year on from the initial disclosure, Log4j still remains a threat because many organizations and and their suppliers are still yet to apply the updates.
Many might still not even be aware that the logging library is part of their software ecosystem.
But repeated warnings made it clear that the critical vulnerabilities posed a threat – and hacking groups ranging from cyber-criminal gangs and ransomware groups to nation-state backed cyber-espionage operations have all actively targeted Log4j vulnerabilities and continue to do so.
Just last month – almost a year on from the initial disclosure – CISA and the FBI put out a security alert, warning that if organizations hadn’t yet patched or mitigated Log4j vulnerabilities, they should assume their network is compromised and act accordingly.
The alert came after an investigation into a cyberattack against what CISA and the FBI describe as a ‘federal civilian executive branch’ organization. If a government body can’t plug the security holes correctly, then what chances do other organizations have?
Also: Software development is still ignoring security. That needs to change fast
Cybersecurity moves quickly – it’s tough work and information security teams regularly face burnout because there’s always another new security vulnerability, or a new security update that needs applying. But cyber criminals don’t forget about old security flaws and vulnerabilities – and as long as Log4j instances remain unmitigated, they’ll be targeting them.
That means organizations can’t just ignore vulnerabilities and issues and hope they just go away. Fixing these issues is a challenge, but taking notice of security alerts and warnings to ensure your network is protected is an absolute must.
It’s just one of the reasons why the responsible thing for organizations of any size to do is to provide the budget for a suitably sized information security team, which can help detect and mitigate threats before they affect your business and its customers.
ZDNET’S MONDAY OPENER