Not all software utilizing Log4j is equally attractive from an attacker’s point of view, and the most widely used application isn’t necessarily the one attackers will go after.
About 10% of large enterprises have an Internet-exposed instance of VMware Horizon, a desktop and application virtualization product, but it is currently the most “attackable” application using Log4j, Randori said in a report (PDF) earlier this month. In contrast, 37% of organizations have multiple instances of cPanel, a web-hosting control panel software that is visible on the Internet, but attackers are less likely to target it.
The vulnerability in the Log4j logging library was publicly disclosed a little over four months ago.
“While some [organizations] felt massive blowback from Log4j exposures on their attack surfaces, others managed to weather the storm without major incident,” Randori’s team said. “By understanding how attackers choose their targets during such exposures, defenders can help put their company in the latter category.”
Randori’s approach isn’t just about looking for vulnerabilities that can be exploited, but also thinking about how attackers choose their targets. Adversaries consider several factors when picking their targets, such as where the most initial damage would likely occur and what kind of impact the intrusion would have on the environment. Adversaries are more likely to target applications that would allow them to remain in the environment, so they would be less interested in systems that have a lot of security software that would detect the intrusion. Applications that grant access to other systems or give adversaries privileged access would be a more tempting target.
VMware Horizon is considered the most attackable because if compromised, it gives adversaries access to the rest of the network. Mobile device management platform Jamf and single-sign-on platform PingFederate are used by 1% to 2% of the enterprise market but are ranked second and third on the attackable list because of what adversaries would be able to do next, Randori noted. The authentication and automation mechanisms provided by PingFederate and Jamf would allow adversaries to pivot in the network and expand operations, Randori said.
Jenkins, an automation server to build, test, and deploy software, does not even make the widespread list because the core platform does not include Log4j dependencies. However, some add-ons do use Log4j, and if those instances of Jenkins are compromised, the attackers would have the “keys to the kingdom,” Randori notes.
“Our attack team wouldn’t be surprised to [see] attacks in the wild abusing Log4j in Jenkins,” the company noted.
Most of the applications on the widespread list are application servers or middleware and are less interesting to attackers because not every version may have Log4j dependencies. Or if they have optional components that use Log4j, the configurations may not be as easily exploited.
Organizations need to understand software stack underlying their platform, since the dependencies will make a difference in whether they are more attractive to adversaries or not, Randori’s team concluded.