Skip to content

Digging into the numbers one year after Log4Shell

Posted by: GuidePoint Security

2 min read

December 16, 2022 – Published on SC Magazine

A year ago, when the Log4Shell vulnerability was first disclosed, perhaps no sector responded as quickly and decisively as the federal government.

Within days of the bug’s disclosure, the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security issued an emergency directive ordering civilian federal agencies to identify all software solution stacks accepting data input from the internet, map them to a government-run GitHub repository of known software assets using the vulnerable code, patch known affected instances and request additional scrutiny for internet connected solutions that were not on the list. Agencies were given less than week to patch their affected systems or pull them from the internet. 

And yet, three months later in February 2022, hackers linked to the Iranian government were able to use the vulnerability to break into an unpatched VMWare Horizon server, and federal officials did not even discover the compromise or respond to it until June 2022, according to a joint advisory by CISA and the FBI.  

From the time it was introduced, researchers warned that Log4Shell would remain in the digital ecosystem for years. The Iranian incident underscores just how difficult it has been even for motivated and well-resourced organizations to stay on top of the threat and remove it from their networks. 

GuidePoint Security suggested that the cost for a single Log4j hunt can also reach to $33,000. 

“[The high cost] was due to numerous factors, including the breadth of Log4j across various software and solutions, as well as the client’s inability to easily identify where it was running, whether it was vulnerable, and even potentially exploited. Therefore, we seem to receive more requests for assistance in helping clients perform these tasks, which obviously has supplemental costs to their typical vulnerability management processes,” said Mark Lance, vice president of DFIR and Threat Intelligence at GuidePoint Security.  

Read More HERE.

Categories: Application Security Incident Response & Threat Intelligence Vulnerability Management & Penetration Testing
Tags:GRIT®

GuidePoint Security

Threat Discovery Services
 We will leverage existing data sources and toolsets within your infrastructure, supplemented with additional solutions that can be deployed to […]
Download

Related Articles

View All

  • Incident Response & Threat Intelligence
Threat Discovery Services
Read More < 1 min read
  • Incident Response & Threat Intelligence
Iranian compromise of federal network demonstrates enduring nature of Log4j
Read More 2 min read
  • Blog
Log4j: A Year in Review
Posted by: GuidePoint Security
Read More 3 min read