The Need for Speed: As the Rate of Exploit Get Faster, How Do Organizations Keep Up?

Few vulnerabilities in recent years have attracted as much attention or ignited as much concern across the industry as CVE-2021-44228 – or Log4Shell, as it became known – a critical remote code execution (RCE) vulnerability.

The vulnerability, disclosed in December, affected almost every environment with a Java application, was trivially easy to exploit and gave attackers a way to gain complete control of vulnerable systems. Too often, it was also incredibly hard to find because dependencies on Log4j could sometimes be buried multiple layers deep in applications.

Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) called Log4Shell the most serious vulnerability she’d seen in her career. And cleaning up after it could take months or even years, experts say. This flaw highlights the dramatic speed of exploits that organizations now face.

The speed of Log4Shell and what it means for networking and IT leaders

Researchers at FortiGuard Labs found that within days of being disclosed, Log4Shell had become the most prevalent IPS detection for the entire second half of 2021. When you consider that it didn’t emerge until December, that’s especially shocking.

In just 21 days, the Log4j RCE had reached 1.4x the cumulative volume that the infamous Struts flaw in 2017 (CVE-2017-5638) achieved in one year. In less than a month, it had nearly 50X the activity volume in comparison to the well-known outbreak, ProxyLogon, that happened earlier in 2021.

One reason for the speed of its propagation is that Log4Shell is relatively easy to exploit, which means even low-skilled hackers can take advantage of it. Another reason is the wide attack surface. Soon after Log4Shell’s disclosure, threat actors – including operators of crypto miners, ransomware tools and botnets like Mirai – were observed integrating exploits for the Log4j vulnerability into their attack kits.­­

These integrations led to fears of widespread attacks on everything from cloud applications and internet-facing servers to backend systems, network components and SCADA systems. People became concerned over reports of exploit activity targeting the flaw occurring at least one week before the vulnerability was disclosed and a patch for it became available. In the week following the Log4Shell disclosure, the Apache Foundation reported two other bugs in the logging framework: CVE-2021-45046 and CVE-2021-45105. The flaws turned out to be not as critical as Log4Shell, but it meant that organizations were forced to update their Log4j versions three times in a single week.

Addressing the aftermath

What’s perhaps scariest about how fast these exploits move is that in reality, organizations have very little time to react or patch today, given the speeds that cyber adversaries are employing to maximize fresh opportunities. Organizations need aggressive patch management strategies and the visibility to prioritize the threats that are propagating most quickly in the wild to reduce overall risk. Those strategies should includevirtual patching where possible and policy updates among other items.

In the case of Log4Shell, one small bit of good news is that even in the midst of widespread concerns, there were no reports of major compromises involving the flaw in the month after it was discovered. That is likely the result of the defensive measures that organizations rushed to implement in the immediate aftermath of bug disclosure.

On the other hand, there’s also reason to believe that attackers may have exploited the bug to breach networks and are waiting for the right time to strike.

How to address the acceleration 

The tech industry, and cybersecurity as a subset of it, has always been fast-moving and dynamic, but recent threat events show unparalleled speeds at which cyber adversaries are currently developing and executing attacks. Whether exploiting new vulnerabilities, targeting new attack surfaces or generating new attack techniques, adversaries are using more automated techniques to scale their efforts and execute more sophisticated attacks at an accelerated pace.

To defend against this varied set of threats, organizations need to implement AI-powered prevention, detection and response strategies based on an integrated cybersecurity architecture that enables much tighter integration and increased automation of actionable threat intelligence, as well as a more rapid, coordinated and effective response to threats across the extended network.

Satisfy the need for speed

The Log4J vulnerabilities underscore the dramatic speed of exploits that organizations now face. This leaves organizations with little time to react or patch, which means they need more aggressive patch management strategies and increased visibility to prioritize those threats that are propagating the fastest. A holistic, integrated security strategy provides that needed visibility and enables security teams to rapidly address network threats – which is precisely what organizations need to defeat today’s accelerated exploits.

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.