The security research community had been expecting something like this to come along for a while. So it was with a sense of dread that we read news of a newly discovered CVSS 10.0 vulnerability in early December. The impact is already being felt around the globe as threat actors scramble to exploit the bug before defenders can apply their patches. It is a story that could take months or even years to play out.
The latest Trend Micro customer data reveals just how significant the global and vertical reach of Log4Shell is, and the huge range of applications it impacts. That’s why we continue to research potential new vectors and Log4j vulnerabilities, and to help organisations better understand where they may be exposed.
What happened?
Log4j is a popular Java-based logging tool used in platforms as diverse as Minecraft and Elasticsearch. A high severity vulnerability dubbed “Log4Shell” was patched by the open source Apache community in early December. However, exploits subsequently created for it have already been used by threat actors to launch ransomware, mine illegally for virtual currency, steal data and much more. Why is it so dangerous?
- Log4j is near-ubiquitous in modern enterprises, in both third-party and home-grown applications
- Due to Java dependencies, it is not always easy to find instances of Log4j running, in order to patch them
- There are multiple attack vectors depending on the application in question. In the case of Minecraft, exploitation was reportedly as simple as copying a string into a chat box
- The vulnerability can lead to remote code execution, allowing attackers to install malicious code on an affected machine to launch a range of attacks
Charting the spread of Log4j
New Trend Micro data highlights exactly how widespread the threat is. Although just 7% of our customers were impacted, they were dispersed across Europe (26%), the Americas (33%), Japan (16%) and AMEA (25%). The US dominated country-by-country (5,069) followed by Japan (4,223). The threat is also presence across verticals. The top three for Trend Micro customers were government (1,950), retail (1,537) and manufacturing (1,507).
As mentioned, Log4j is an incredibly popular utility for Java-based logging. In our breakdown we found it most common on the desktop in StandAlone Doc Browser, 724Access, VMware, and Minecraft. On the server side, it was Tableau, PowerChute Business Edition, spectrumcontrol and Tomcat.
However, that’s still not the whole story. We also observed some apps more frequently impacted in specific regions. SIOS.QuickAgent2 topped the list in Japan, for example. When it came to verticals, Tableau and VMware were most commonly affected in government, retail and manufacturing. But third place went to ArcGIS in government, SASEnvironmentManager in retail and Informatica Cloud Security Agent in manufacturing. Knowing where to find Log4j is crucial to mitigating the risk of exploitation.
A new DoS threat
The story has since taken yet another turn, thanks in part to the work of Trend Micro researcher Guy Lederfein and Trend Micro’s Zero Day Initiative (ZDI). He helped discover a new Denial of Service (DoS) vulnerability in Log4j which has subsequently been patched.
As the world’s largest vendor agnostic bug bounty program, the ZDI’s mission has never been more important. Incentivizing researchers from across the globe to find new vulnerabilities before the bad guys do is of critical importance in a world where exploits of popular programs like Log4j can result in such widespread damage so quickly.
In the meantime, Trend Micro stands ready to help customers with a free assessment tool designed to root out instances of unpatched Log4j across your IT environment. Check out all the latest info on the threat here.