Many cos yet to scan systems or apply patches for Log4Shell

Amid growing concerns that the Log4Shell vulnerability is now on the radar of ransomware actors, security experts have warned that many companies are still not taking the threat seriously.

The Log4Shell vulnerability was detected in open-source logging software Apache Log4J that is used in practically every Java-based application or web server.

Almost any company that uses Java and the logging library can be at risk, security experts warned. Awarded the highest possible severity rating of 10, the vulnerability can be exploited to carry out remote code execution (RCE) attacks.

Also read: New Log4J flaw puts 41% of Indian corporates at risk of hacks

Even after a month of detection, only 70% of organisations have scanned their assets including web applications and web servers to ensure they are not afflicted by the vulnerability, shows a new data published by cybersecurity firm Tenable Inc, yesterday.  

Experts believe that timely reaction is critical to contain the vulnerability and mitigate the risk of exploits that could trigger future ransomware attacks. 

Also read: Log4Shell on ransomware gangs’ radar, exploit attempts detected in China, the US, Europe

"Log4Shell has been identified as one of the biggest cybersecurity risks we’ve ever encountered, yet many organizations still aren’t taking action," warned Amit Yoran, CEO and Chairman at Tenable.

Yoran added, "Yet 30% of organisations (according to our data) haven’t begun assessing their environments for Log4Shell, let alone started patching." 

After discovering issues with the initial patch to fix the vulnerability, Apache Software Foundation, the open-source web community responsible for the development of Apache software, published a second patch on December 17.   

Yoran further said that unlike vulnerabilities such as EternalBlue that led to WannaCry and many other attacks, the risk organisations face now is a lot more serious due to the wide use of Log4j in both infrastructures and applications. "No single vulnerability in history has so blatantly called out for remediation," he added.  

Candid Wuest, VP of Cyber Protection Research at Acronis, also feels that  

Log4shell is among the top five most severe vulnerabilities reported in the last decade.  

He also compared it to the EternalBlue and ShellShock Bash vulnerability.  

According to Wuest, companies should be more concerned as the vulnerability is easy to exploit remotely. Also, it takes longer to patch, as it’s not just one vulnerable software that has to be updated, but a library that’s embedded in many applications, resulting in multiple updates.  

Experts feel the situation has become even more worrisome because notorious ransomware groups such as Conti are on the trail of vulnerable applications and servers and have already made several attempts to target companies in the US and Europe using Cobalt Strike, a remote access tool that is also used for pen-testing.