Log4j exploitation risk is not as high as first thought, cyber MGA says

When the Log4Shell vulnerability (CVE-2021-44228) was publicly revealed in December 2021, CISA Director Jen Easterly said that it is the “most serious” vulnerability she has seen in her decades-long career and it could take years to address.

It’s true: the flaw is remotely exploitable by unskilled attackers and vulnerable versions of the open source library are seemingly ubiquitous – and are still being downloaded and used.

Attackers have been trying to exploit the vulnerability to compromise systems around the world to deliver cryptominers and ransomware or to establish persistent access for a future attack.

But, according to Rotem Iram, co-founder and CEO of cyber managing general agent (MGA) At-Bay, the Log4j exploitation risk isn’t as high as first thought.

Determining Log4j exploitation risk

After scanning 13,000+ of insured mid-market companies in their portfolio and companies that submitted a request to be insured, they found that only a very small percentage of them are vulnerable to Log4Shell exploitation coming from attackers outside the network perimeter.

“As an insurance MGA we are interested in reducing the most risk for the most organizations. In the mid-market, cyber criminals are not targeting specific organizations; they’re running internet-wide scans looking for critical vulnerabilities and then attacking what’s found. So, when looking at the risk presented by Log4j, we consider how many organizations could be identified and exploited by an attacker specifically seeking to use a Log4j exploit,” Iram shared.

They added the capability to their network perimeter scan to identify if an organization can be compromised via one of the published Log4j exploits (for 11 software products), and found that only 0.5% of organizations in the mid-market to be vulnerable.

Among the other things they found are that:

• Expectedly, the greater the size of the organization, the larger technology stacks they have, and the greater they chance of using a system that is vulnerable and identifiable through external scans
• The top 3 most vulnerable products found were Ubiquiti Unifi, VMWare Horizon, and MobileIron
• Educational Services (schools, colleges, etc.) and Information Industry (publishers, broadcasters, telecoms) are the most at-risk industries

But, most importantly, they also found that the exposure rates of those mid-market companies for the EternalBlue and ProxyLogon flaw are bigger, and for unauthorized RDP access bigger still.

“Remediating any system vulnerable to Log4j is crucial, but organizations must not divert attention from other common attack vectors. Remote Desktop Protocol (RDP) remains the leading cause of ransomware incidents, responsible for nearly 50% of all attacks — and we do not anticipate this changing anytime soon,” he said.

“The number of available targets in the mid-market for hackers to exploit [via Log4j vulnerabilities] is relatively low, which presents less opportunity for cyber criminals and explains why there have been few reports of breaches to date.”

Other considerations

Iram told Help Net Security that their customers are all US-based and not overly concentrated in any one segment. “When we consider this alongside the total number of businesses scanned – which was roughly 13,000 – we think this data is a good representation of the market.”

He also noted that their scanner focuses on all currently exploitable products and configurations and that if a product is using an outdated log4j version, but there is no known way to exploit that product, they would not count it as a “confirmed exploitable”.

Finally, he pointed out that if an attacker gains access through different means (e.g., a phishing email) and is moving laterally inside the organization, they may be able to leverage an internal vulnerable product to further advance.

“Attackers in the mid market don’t target organizations, but rather easy to find and exploit vulnerabilities. They design an attack that is specific to that starting point and then scale it up by selling it as ransomware-as-a-service tool to other, less sophisticated attackers,” he added.

“Those attackers then scan every IP address looking for vulnerable assets, and prioritize the ones that belong to the highest revenue companies. So, knowing that 0.5% of mid-market companies would pop on an attacker’s radar, is important because it tells us the magnitude of the attacks that would follow, and also allows us to help those companies eliminate the issue before targeted. This approach has led us to reduce ransomware cases by more than 5x compared to reported averages.”