Research identifies new Log4j exploit exhibits hidden blind spot in global digital supply chain called LoNg4j

While helping customers validate their patching efforts, researchers from Cequence Security found additional unpatched servers with the Log4j vulnerability hidden within their digital supply chain, labeled LoNg4j. Detecting this type of LoNg4j exploit requires an extensive test infrastructure that most organizations have not allocated, indicating that the Log4j vulnerability is more widespread than initially thought and spread across the digital software supply chain. 

“We found unpatched servers within our customers’ digital supply chain that appeared some 15 hours after the initial test results were received,” the CQ Prime Team wrote in a company blog post. “Dubbed ‘LoNg4j’, this new exploit demonstrates the widespread implications of the Log4j vulnerability and organizations are potentially at risk of it for years to come,” they added. 

The results of the traditional Log4j vulnerability can be immediate. Recently, global cybersecurity authorities provided details on the top 15 common vulnerabilities and exposures (CVEs) routinely exploited by malicious cyber actors in 2021 and other CVEs frequently exploited. Last year, among the top 15 vulnerabilities that malicious hackers routinely exploited were the Log4Shell vulnerability, the ProxyLogon vulnerabilities that affected Microsoft Exchange email servers, and the ProxyShell vulnerabilities that also impacted Microsoft Exchange email servers.

The researchers also suspect “that we will continue to see many other LoNg4j examples for years to come because of the depth and breadth of the deployment of Log4j across organizations around the world. Today’s modern organizations are layered in software that has been written using open-source software, 3rd-party software and API-driven cloud software services, helping to ensure that software can be written and deployed quickly. Unfortunately, these pieces of software often pull along with it, the vulnerabilities that exist within those 3rd-party components.” they added.

The researchers compared the lingering effect of the Log4j vulnerability to the ongoing COVID-19 pandemic. “As a proof point, in February 2022, the CQ Prime Threat Research team found that 36% of the 50 organizations analyzed remain vulnerable to the Log4j vulnerability with specific verticals like retail and healthcare fare well, while universities and financial services fare poorly. The statistics show that even after a globally known vulnerability has been disclosed and a patch made available, organizations are still suffering from a lack of applied patches,” they added.

“We also found similar attack vectors that exploit Log4j but are performed through the DNS redirection of popular enterprise solutions such as web conferencing,” the researchers said. 

“Detecting this type of LoNg4j exploit requires an extensive test infrastructure that most organizations have not allocated,” according to the CQ Prime Team. “These two pervasive LoNg4j attack vectors mean that a very patient attacker can eventually gain access to a victim’s application through sheer persistence.” 

For example, “we searched for Log4j and LoNg4j vulnerabilities in the world’s Top 50 most used companies and websites. As of April 29, 2022, an initial scan found at least 10% of the websites were vulnerable to Log4j,” the researchers said.

“When exposed to more persistent analysis, that number went up 300%, indicating the potential existence of the LoNg4j vulnerability,” the post said. “On the positive side, the CQ Prime Threat Research team also identified companies that are doing API Security well. The team looked at organizations in healthcare, retail, and finance, not including our customers, against eight criteria that included the number of exposed APIs, development apps, health endpoints, insecure SSL, service providers, open API files, and exposed files to determine an API success score,” it added. 

Of the companies evaluated, Express Scripts, Costco, and JP Morgan came out on top, the researchers said.

The researchers also disclosed that ​​while testing customers’ applications to validate their Log4j patches, “we discovered on numerous occasions that they were still responding back as vulnerable to the Log4j vulnerability. With one customer, we had tested across their patched applications, we saw the number of Log4j vulnerabilities go from 10 vulnerable systems then to 8, then 6, and then suddenly 14 vulnerable systems. In total, 38 vulnerable systems were found that contained the Log4j vulnerability,” they added.

“When we looked deeper, each of the applications that responded back with a positive confirmation that they still had unpatched Log4j components were in fact using a popular 3rd-party log storage & analysis cloud service,” according to the researchers. “The 3rd-party log storage and analysis service were still using an unpatched Log4j logging component somewhere within their service but did not realize that they had the vulnerability,” they added.

The team said that it “researched the Log4j vulnerability across our customers, the LoNg4j pattern began to emerge, highlighting how interconnected modern enterprise IT infrastructure is and how this digital supply chain extends far beyond the known applications. Modern cloud-based application software is often written where code can make calls to other libraries or services,” they added. 

According to the CQ Prime Team, what has resulted is a far-reaching digital supply chain with potentially vulnerable applications running across thousands of organizations. Most security and IT teams probably do not know the full scope and severity of the security blind spots within their organization with LoNg4j.

Adding an exclamation point to the potential depth of the LoNg4j challenge, a survey by the Ponemon Institute found that, on average, each organization works with 5,884 third parties, the CQ Prime Team said. “If any of them are vulnerable and they are in your supply chain, your data is potentially vulnerable. Unless and until you can have each supply chain vendor in your digital supply chain patched and verified, organizations can’t declare victory over Log4j. This is something that can take months to years depending on the size of the organization,” they added.

Organizations have been called upon to expand their testing parameters to include third-party targets in the digital supply chain. Additionally, enterprises must use all available detection methods, ensure outbound DNS requests are monitored, and lengthen testing timeframes up to 24 hours to accommodate supply chain traversal, including any log analysis or event correlation.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.