Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Like your grudge-holding friend, orgs are still having trouble patching that thing up from three years ago.
Recent reports, including of an obfuscation attack revealed by cloud-app security firm Datadog, demonstrate that companies still haven’t effectively remediated an old vulnerability in the Java-based logging framework Log4j—one found and patched in 2021.
“There’s always an urgency when new things come out, and then it tends to die out in terms of prioritization of risk in companies. And I think it’s important to continue looking for new techniques against old zero-days,” Bianca Lankford, VP of security engineering at Datadog, told IT Brew.
Log, Dog? Datadog, in an August 20 post, reported threat actors obfuscating malicious LDAP requests. TechTarget describes the lightweight directory access protocol as a “pocket-sized phonebook, but for your network,” used to pull resources like an unknown email address.
According to the Datadog findings, a vulnerable Java application retrieves the Java-class URL and executes it through the Java Naming and Directory Interface (JNDI). The class, or resource pointer, executes commands to download and run a malicious script, leading to data exfiltration and system recon.
Looking back. An Alibaba security engineer discovered the Log4j vulnerability on November 24, 2021, and the Apache Software Foundation (ASF) provided an upgrade by December 10.
“Such a disclosure of a significant vulnerability in any widely used piece of software immediately triggers a race between defense and offense: a race to apply upgrades before threat actors exploit vulnerable systems. The Log4j vulnerability was no exception,” according to the Cyber Safety Review Board’s assessment.
Unready, set, go! When comparing 2024’s first- and second-quarter cyberincidents, researchers from security company Cato Networks observed a 61% increase in Log4j remote-code execution attempts in inbound traffic. Website security company Cloudflare’s end-of-year report saw Log4j as “a top target for attacks during 2023.”
“The root of the issue lies in identifying all instances of Log4j, especially when it is nested in legacy systems or third-party applications. It’s like finding a needle in a needle stack,” Cato Networks’s chief security strategist, Etay Maor, wrote in an email to IT Brew.
Scan do! Following the discovery of the Log4j exploit, CISA recommended IT pros scan for vulnerable instances of Log4j, linking to a file system scanning script. Commercial software composition analysis tools and vulnerability scanners also seek out unpatched Log4j.
Lankford said she’s seen regression in patching: It’s possible, for example, that a new engineering team spun up in 2022 or 2023 grabbed an older, unpatched version during code deployment.
“Continuous scanning is the name of the game in security,” Lankford said. “Security as a practice is not a static practice. We can’t just patch once and never think about it again.”